Barcodes on ballots

1,584 views
Skip to first unread message

Kevin Skoglund

unread,
Apr 27, 2018, 10:52:41 AM4/27/18
to vvsg-cybersecurity
> 6. Ballot barcodes / encoding - I don’t feel like the WG has ever had a discussion on this topic, and it may make sense to include requirements on this subject.

The VVSG 1.0 required barcodes to be in an industry-standard format readable by standard commercial technology (7.9.3.h), but that requirement seems to have been dropped in VVSG 1.1.

I would argue that using barcodes to transfer vote selections from a BMD to a tabulator is not allowed under the VVSG 2.0 Principles.

* Barcodes are not transparent (Principle 3). They are an opaque, secret message being passed between the BMD and the tabulator. They are not a process or transaction which is "readily available for inspection," (3.2) and the public cannot "understand and verify the operations" (3.3).

* Most current barcodes are in a proprietary format. That means they are not exporting data (from the BMD) and importing data (to the tabulator) "in an interoperable format" (4.1) or in a "standard, publicly-available" format (4.2).

* Voters cannot read barcodes so they cannot "understand all information as it is presented" (7.3).

* Barcodes do not "provide individual voters the opportunity to verify that the voting system correctly interpreted their ballot selections" (9.1-B.1), and the voter does not "have the opportunity to identify ballot errors before it is cast" (9.1-F.4). Voters can verify the human-readable version, but that is not the data being cast. Any malfunction or manipulation in the barcode data would not be detectable by the voter. It most likely would not be detectable without using proprietary hardware.

* There is a danger that barcodes would be used during recounts and audits. It is easier, faster, and cheaper to scan ballots again than to do a hand count or a proper audit. (Recently, a vendor demonstrated to me how to use a central-count tabulator to recount precinct-count ballots with barcodes.) Even in a ballot-compare audit, the voting system could be used to read the barcode, and systems with proprietary or encrypted barcodes would require it. The voting system should be software independent and audits should never trust any part of the device being audited (9.1-A).

* Barcodes could contain data besides ballot selections. They should be tested to ensure they do not "contain data or metadata associated with the CVR and ballot image files which can be used to determine the order in which votes are cast" (10.2-D).

* Similar to my previous argument about different-sized ballots, barcoded ballots look different from ballots marked by hand. The barcode is an "election artifact that can be used to associate the voter’s identity with the voter’s intent, choices, or selections" (10.2).

* Barcodes add to the attack surface of a system by adding additional code and data paths, instead of limiting them (14.2). They create new opportunities for hacking the output of the barcode via the BMD or the scanning of the barcode via the tabulator. It seems likely that third-party libraries are imported into the code for both. In a worst case scenario, some barcodes (e.g., PDF417) can encode over 1.1 kilobytes of data which is enough for a small malware program or other instructions to the tabulator.


We should also ask: why do we need barcodes at all? They solve a problem that does not exist in voting systems. A ballot marking device can easily print marks to fill in circles on a paper ballot. (They could be even randomly pick from a library of mark styles or be "fuzzed" to make them appear hand-marked.) Every system vendor with a digital scanner can accurately read less-precise marks on hand-marked ballots. Reading a machine-marked ballot is easy by comparison. I believe some vendors have systems which currently do this.

Barcodes could still be used for ballots style and precinct configuration (in a readable, interoperable format). However, I think the principle-first design of VVSG 2.0 indicates that barcodes should not be used for ballot selections anymore.

Best,
Kevin Skoglund


Keith Ingram

unread,
Apr 27, 2018, 11:57:55 AM4/27/18
to Kevin Skoglund, vvsg-cybersecurity
Strongly disagree with your statement about the "danger" of using bar codes in recounts. This demonstrates that you know very little about actual elections.

If a recount petitioner asks for a hand count then they will get a hand count. This is a public proceeding with poll watchers present. If a petitioner asks for a machine recount, then the bar codes will be scanned again. There is no "danger" involved at all.
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.


John McCarthy

unread,
Apr 27, 2018, 11:57:56 AM4/27/18
to vvsg-cybe...@list.nist.gov, John Wack

Thanks very much for bring up this issue Kevin.

Coincidentally, I had contacted John Wack suggesting that at the very least bar codes should be in an industry-standard format readable by standard commercial technology - without realizing that had been a requirement way back with VVSG 1.0

I agree with most all of your points and think our group ought to .make this part of our agenda.

John

Kevin Skoglund

unread,
Apr 27, 2018, 12:20:29 PM4/27/18
to vvsg-cybersecurity
You are correct, and I apologize for my sloppy writing. I can see how "danger" came across as a loaded word. I should rephrase it.

"There is a chance that a petitioner will ask for a machine recount and the barcodes will be scanned again. There is a chance that a jurisdiction will scan barcodes while performing audits."

My point was about the lack of software independence when either scenario occurs.

Best,
Kevin Skoglund

Bernie Hirsch

unread,
Apr 27, 2018, 12:22:41 PM4/27/18
to Kevin Skoglund, vvsg-cybersecurity
Kevin,

Thank you for your thorough introduction to the barcode issue as it relates to potential requirements. I do have a rebuttal to offer in response as follows.

-----Original Message-----
From: Kevin Skoglund [mailto:ke...@kevinskoglund.com]
Sent: Friday, April 27, 2018 10:53
To: vvsg-cybersecurity
Subject: [vvsg-cybersecurity] Barcodes on ballots

> 6. Ballot barcodes / encoding - I don’t feel like the WG has ever had a discussion on this topic, and it may make sense to include requirements on this subject.

The VVSG 1.0 required barcodes to be in an industry-standard format readable by standard commercial technology (7.9.3.h), but that requirement seems to have been dropped in VVSG 1.1.

I would argue that using barcodes to transfer vote selections from a BMD to a tabulator is not allowed under the VVSG 2.0 Principles.

[Bernie Hirsch] You only mentioned one specific technology: BMD to a tabulator. Are you excluding VVPAT and other forms of voting technologies and techniques which may include use of a barcode or other machine formats?

* Barcodes are not transparent (Principle 3). They are an opaque, secret message being passed between the BMD and the tabulator. They are not a process or transaction which is "readily available for inspection," (3.2) and the public cannot "understand and verify the operations" (3.3).

[Bernie Hirsch] The public has for many years understood barcodes, which are commonly used in many different retail environments including big box and grocery stores as well as smart phone and other mobile methodologies. Barcodes allow the user to individually inspect and scan items, which then typically display human readable information for verification. A barcode is not a process or transaction. It's a technology for visually storing data.

* Most current barcodes are in a proprietary format. That means they are not exporting data (from the BMD) and importing data (to the tabulator) "in an interoperable format" (4.1) or in a "standard, publicly-available" format (4.2).

[Bernie Hirsch] There are numerous interoperable, standard, publicly-available barcode formats (QR, Datamatrix, PDF417, Aztec for 2D codes; UPC, EAN, Code 39, Code 128, ITF, Code 93, Codabar, etc. for 1D codes)

* Voters cannot read barcodes so they cannot "understand all information as it is presented" (7.3).

[Bernie Hirsch] If the barcode is scanned and interpreted for the voter (either orally or through a digital display) then they can "understand all information as it is presented," since the information would include either a visual or aural interpretation. Of course it is also possible that a system would simply NOT present a barcode to the user, and only include that information with the ballot after verification of the human readable formatted information is presented.

* Barcodes do not "provide individual voters the opportunity to verify that the voting system correctly interpreted their ballot selections" (9.1-B.1), and the voter does not "have the opportunity to identify ballot errors before it is cast" (9.1-F.4). Voters can verify the human-readable version, but that is not the data being cast. Any malfunction or manipulation in the barcode data would not be detectable by the voter. It most likely would not be detectable without using proprietary hardware.

[Bernie Hirsch] You're assuming that the paper record is the record that is "cast," and even if it is the ballot of record, a voter can verify that the barcode accurately scans and is interpreted correctly. A presentation of raw data from the barcode could also possibly be included but that seems like overkill.

* There is a danger that barcodes would be used during recounts and audits. It is easier, faster, and cheaper to scan ballots again than to do a hand count or a proper audit. (Recently, a vendor demonstrated to me how to use a central-count tabulator to recount precinct-count ballots with barcodes.) Even in a ballot-compare audit, the voting system could be used to read the barcode, and systems with proprietary or encrypted barcodes would require it. The voting system should be software independent and audits should never trust any part of the device being audited (9.1-A).

[Bernie Hirsch] As previously asserted, I disagree that voting systems should be software independent. There are other ways to determine if a voting device CAN be trusted during audit. That being said, easier, faster and cheaper are generally desirable traits. Harder, slower and more expensive encourage the danger of less auditing and recounting. The most improper audit is the one that never happens or is truncated due to time, expense or difficulty of completion. Barcodes are simply a more efficient and accurate way to visually store and later input data into an electronic system. Barcodes are almost always accompanied by human readable data which can be verified against the machine readable component.

* Barcodes could contain data besides ballot selections. They should be tested to ensure they do not "contain data or metadata associated with the CVR and ballot image files which can be used to determine the order in which votes are cast" (10.2-D).

[Bernie Hirsch] Agreed. Generally this type of testing is extensive and ongoing, including right before, during and after each election.

* Similar to my previous argument about different-sized ballots, barcoded ballots look different from ballots marked by hand. The barcode is an "election artifact that can be used to associate the voter’s identity with the voter’s intent, choices, or selections" (10.2).

[Bernie Hirsch] You can't assume that ANY ballot would be filled out by hand. If all ballots are filled out by machine (i.e. BMD or VVPAT) there is no justification to exclude barcodes. If any ballots are filled out by hand, they would be distinguished by machine generated ballots with or without a barcode. "Fuzzy" technology for printing a ballot is an interesting concept but there's nothing fuzzy about a single Chinese voter showing up at a polling place and casting the only pictographic ballot, is there?

* Barcodes add to the attack surface of a system by adding additional code and data paths, instead of limiting them (14.2). They create new opportunities for hacking the output of the barcode via the BMD or the scanning of the barcode via the tabulator. It seems likely that third-party libraries are imported into the code for both. In a worst case scenario, some barcodes (e.g., PDF417) can encode over 1.1 kilobytes of data which is enough for a small malware program or other instructions to the tabulator.

[Bernie Hirsch] Barcodes are not new, so this wouldn't be a "new" opportunity. The idea isn't to eliminate all attack surfaces, but to protect the ones that are needed or desirable.

We should also ask: why do we need barcodes at all? They solve a problem that does not exist in voting systems. A ballot marking device can easily print marks to fill in circles on a paper ballot. (They could be even randomly pick from a library of mark styles or be "fuzzed" to make them appear hand-marked.) Every system vendor with a digital scanner can accurately read less-precise marks on hand-marked ballots. Reading a machine-marked ballot is easy by comparison. I believe some vendors have systems which currently do this.

[Bernie Hirsch] Your assumption is that only BMD's are used in voting systems. There are other forms of voting, both existing and imagined. A more diverse and innovative universe of technologies make voting systems more secure and less prone to a single point of failure. Our job isn't to target individual technologies for exclusion, but rather to provide guidance on how to mitigate risk and improve security of existing and anticipated technologies of the future.

Barcodes could still be used for ballots style and precinct configuration (in a readable, interoperable format). However, I think the principle-first design of VVSG 2.0 indicates that barcodes should not be used for ballot selections anymore.

[Bernie Hirsch] Now barcodes ARE readable and interoperable?

Barcodes provide a thoroughly vetted and tested range of publicly accepted and understood technologies that are a valuable tool in voting system design and implementation. They avoid many of the pitfalls of single optical mark interpretation, and offer integrity safeguards that are absent in other forms of "raw" visually stored data. Our voting systems will be more secure if we make it easier, not harder, to more accurately count or recount ballots. While I disagree that software independence is a necessary prerequisite for conducting audits, auditing doesn't necessarily need to rely on the use of barcodes or be software dependent since each ballot would be accompanied by a human-readable format.

I've also introduced the concept of a pre (or post) election physical and cybersecurity sweep (PEPCS) audit, which would assure the public and voting officials that the voting system is correctly configured, hasn't been tampered with, and exactly matches the system as tested and certified before and after each election. The sweep includes a check of digital signatures and other electronic and visual identification characteristics of the system as well as an examination of seals, decals and other physical protections in place. Essentially this type of independent PEPCS audit increases the trust in the certified voting system so its built-in mechanisms can be relied upon to conduct other types of audit. Otherwise why include requirements for monitoring and internal auditing of voting systems at all?

My best,
Bernie Hirsch
MicroVote General Corp.


---
This email has been checked for viruses by AVG.
http://www.avg.com

Judson Neer

unread,
Apr 27, 2018, 12:23:52 PM4/27/18
to Kevin Skoglund, vvsg-cybersecurity
Kevin (and others),

Could a manual audit of some percentage of ballots that compares the contents of the barcode to the printed marks, in conjunction with a larger set of ballots audited via barcode scan, serve to give adequate confidence in the results, and restore software independence?

Judson Neer

Director of Engineering


Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com


      


The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.


> To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> ---
> You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.
>
>

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


Schneider, Marc I

unread,
Apr 27, 2018, 12:39:34 PM4/27/18
to Bernie Hirsch, Kevin Skoglund, vvsg-cybersecurity
> * Most current barcodes are in a proprietary format. That means they are not exporting data (from the BMD) and importing data (to the tabulator) "in an interoperable format" (4.1) or in a "standard, publicly-available" format (4.2).
>
> [Bernie Hirsch] There are numerous interoperable, standard, publicly-available barcode formats (QR, Datamatrix, PDF417, Aztec for 2D codes; UPC, EAN, Code 39, Code 128, ITF, Code 93, Codabar, etc. for 1D codes)

Bernie, I think that Kevin is referring to the information encoded in the barcode and not the barcode format itself. For example, if the barcode encoded 1,2 to mean first contest, second choice, that is not in an interoperable nor a standard, publicly-available format. If the there was a public standard defined for how to represent "contest 1, Jane Doe" in an interoperable format, then this issue would be resolved.

Thanks,
Marc Schneider
Office: 703-983-0487
Cell: 703-667-0586
--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

Duncan Buell

unread,
Apr 27, 2018, 12:43:46 PM4/27/18
to vvsg-cybersecurity, Bernie Hirsch, Kevin Skoglund, Schneider, Marc I
My one experience with barcodes on ballots was that yes, the barcode format was standard and could be read by a scanner app on my phone.

And the scanner said that the barcode was the code for a Fram oil filter. I think that’s the problem Marc is referring to.



Duncan Buell
dunca...@gmail.com

Schneider, Marc I

unread,
Apr 27, 2018, 12:50:15 PM4/27/18
to Duncan Buell, vvsg-cybersecurity, Bernie Hirsch, Kevin Skoglund
Exactly, on products that use UPC-A codes, the de-facto standard is that the left 5 digits represent the manufacture, and the right 5 digits represent the product. If for example you used the left 5 digits for contest, and right 5 digits for choice, and then attempted to interpret that with the de-facto product representation, you'll get a random product.

Bridges, Tony - ELECTIONS

unread,
Apr 27, 2018, 1:06:12 PM4/27/18
to Schneider, Marc I, Duncan Buell, vvsg-cybersecurity, Bernie Hirsch, Kevin Skoglund
Because most common 1D codes only represent a small number of digits, data typically goes through a separate encoding (or serializing) process before it gets encoded into a barcode. So in the example of a UPC-A, the manufacturer and product are assigned numbers, whereas in the PDF417 barcode on the back of a Real ID driver license the data represented by the barcode is pretty much plain English, just with rather opaque field names prepended to each data field.

The issue here is that to really be interoperable, both the standard for converting data into a visual representation, AND the standard for serializing the data to be represented need to be open and transparent.
> Visit this group at https://secure-web.cisco.com/1F8_G-EGRWWKqVWS05s8aSxP6HMbGOTduugDpfw6ESiybiqfFdiSDs0h1sNWBqa8CCOEF8sLvLc2Xq1jGUDLEkUBE4z97qq7J9ugZhtxxUNFPtJG5AmG5gMvee7JSbwvuPFVknTeHybJuMGSvrckvep0ipnZwgw0wu3O-p51PS5TbQegfNpZCqjZeEZ_DUIis_DhNtw48Yl9BgFJhrq5N1wA5tBlZnfeNEO1r9MQs1WoOSiJnKg9rwTiiKnK9Uz7nES0kGrrBoGglUJ1cBouqeQ/https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fforum%2Fvvsg-cybersecurity
> ---
> You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
>
> --
> To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
> Visit this group at https://secure-web.cisco.com/1F8_G-EGRWWKqVWS05s8aSxP6HMbGOTduugDpfw6ESiybiqfFdiSDs0h1sNWBqa8CCOEF8sLvLc2Xq1jGUDLEkUBE4z97qq7J9ugZhtxxUNFPtJG5AmG5gMvee7JSbwvuPFVknTeHybJuMGSvrckvep0ipnZwgw0wu3O-p51PS5TbQegfNpZCqjZeEZ_DUIis_DhNtw48Yl9BgFJhrq5N1wA5tBlZnfeNEO1r9MQs1WoOSiJnKg9rwTiiKnK9Uz7nES0kGrrBoGglUJ1cBouqeQ/https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fforum%2Fvvsg-cybersecurity
> ---
> You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
>

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://secure-web.cisco.com/1F8_G-EGRWWKqVWS05s8aSxP6HMbGOTduugDpfw6ESiybiqfFdiSDs0h1sNWBqa8CCOEF8sLvLc2Xq1jGUDLEkUBE4z97qq7J9ugZhtxxUNFPtJG5AmG5gMvee7JSbwvuPFVknTeHybJuMGSvrckvep0ipnZwgw0wu3O-p51PS5TbQegfNpZCqjZeEZ_DUIis_DhNtw48Yl9BgFJhrq5N1wA5tBlZnfeNEO1r9MQs1WoOSiJnKg9rwTiiKnK9Uz7nES0kGrrBoGglUJ1cBouqeQ/https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fforum%2Fvvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://secure-web.cisco.com/1F8_G-EGRWWKqVWS05s8aSxP6HMbGOTduugDpfw6ESiybiqfFdiSDs0h1sNWBqa8CCOEF8sLvLc2Xq1jGUDLEkUBE4z97qq7J9ugZhtxxUNFPtJG5AmG5gMvee7JSbwvuPFVknTeHybJuMGSvrckvep0ipnZwgw0wu3O-p51PS5TbQegfNpZCqjZeEZ_DUIis_DhNtw48Yl9BgFJhrq5N1wA5tBlZnfeNEO1r9MQs1WoOSiJnKg9rwTiiKnK9Uz7nES0kGrrBoGglUJ1cBouqeQ/https%3A%2F%2Fgroups.google.com%2Fa%2Flist.nist.gov%2Fd%2Fforum%2Fvvsg-cybersecurity

Bernie Hirsch

unread,
Apr 27, 2018, 1:10:47 PM4/27/18
to Bridges, Tony - ELECTIONS, Schneider, Marc I, Duncan Buell, vvsg-cybersecurity, Kevin Skoglund
Perhaps the interoperable group might devise a standard for visually encoding ballot selections into a barcode, similar to the vote record requirements.

Bernie
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity

Wack, John (Fed)

unread,
Apr 27, 2018, 1:35:48 PM4/27/18
to vvsg-cybersecurity

This is from the general interoperability requirements for the next VVSG, available on the interoperability page on the twiki:



1-A.2 Standard protocols and algorithms

Standard, publicly-available and publicly-documented protocols MUST be used, where possible, for exchanging data or encoding data.

Applies to: Voting system

Discussion

This refers to the use of common protocols for wireless communications, e.g., Bluetooth, etc.  It also refers to data encodings such as for bar and QR codes typically used by ballot marking devices to encode voter choices.

Status:                         under review

Updated:                     02/13/18

Gap notes:                   New requirement

1-A.3 Public documented manufacturer protocols

Where it is not currently possible to meet requirement A.2, manufacturers MUST use a publicly documented protocol.

Applies to: Voting system

Discussion

This refers to, for example, packing or compressing data before encoding in a QR code.  If a manufacturer uses its own protocol or algorithm, it must document its implementation and usage and make this available publicly.

Status:                         under review

Updated:                     02/13/18

Gap                              notes:New requirement


In 1-A.3, it says that a manufacturer can use their own data compression method as long as it is publicly documented such that auditors, the public, whomever, can decompress the data.  


I think, as most people would agree, it is better not to need to do compression or not to need to use a bar code at all.  But, I understand that they are used because they are more accurately scanned 'in the field' than the marked paper ballots, and it's important to reasonably ensure that what gets encoded into the cast vote record is correct.  And compression might be necessary depending on which barcode is being used and the amount of data.  It is my recollection that the TGDC who approved the 2007 TGDC Recommendations didn't really like items such as barcodes that aren't human readable, but at the same time were okay with barcodes as long as the barcode algorithm is 'in the public' and an audit could be readily done to verify that the algorithm is being used correctly.  So, these requirements above go along with this.


If this group wants to change these requirements, I think that it's important to preserve the principle of transparency and at the same time not make the requirements unnecessarily difficult to meet or complicate too much life for the election workers and auditors involved.


Cheers, John

---
John P. Wack
john...@nist.gov


From: Bernie Hirsch <bhi...@microvote.com>
Sent: Friday, April 27, 2018 01:10 PM
To: 'Bridges, Tony - ELECTIONS'; Marc Schneider; 'Duncan Buell'; 'vvsg-cybersecurity'
Cc: 'Kevin Skoglund'

>
> --
> To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov

> ---
> You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
>
> --
> To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov

> ---
> You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.
>

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov

---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov

Carl Hage

unread,
Apr 27, 2018, 2:34:30 PM4/27/18
to vvsg-cybe...@list.nist.gov
On 04/27/2018 07:52 AM, Kevin Skoglund wrote:
> We should also ask: why do we need barcodes at all?

A machine-printed voter verified ballot could add a bar-coded (QR code)
digital signature of the vote, proving that the printout was made by a
particular machine, and if used with temporary private key, made on a
particular day.

Bar codes (of a sort) record the ballot style and sometimes precinct,
though some people don't call them bar codes.

A bar code (with human-readable number) might be used to imprint a
ballot ID to match stored CVRs with paper for auditing.

John Sebes

unread,
Apr 27, 2018, 4:25:16 PM4/27/18
to Judson Neer, Kevin Skoglund, vvsg-cybersecurity
Judson,

I would venture a tentative "yes" with the proviso that the in the
audit, the barcode reading has to be done by a device that's independent
of the voting system product that wrote the barcode, and that coding
would have to be in an industry standard format (because of the Fram
factor).

Another important part of such an audit would be detection of cases
where a human mark placed after the barcode imprint might create a
ballot for which the barcode doesn't match the voter's intent as evident
to a human review.

John Sebes

Judson Neer wrote:
> Kevin (and others),
>
> Could a manual audit of some percentage of ballots that compares the
> contents of the barcode to the printed marks, in conjunction with a
> larger set of ballots audited via barcode scan, serve to give adequate
> confidence in the results, and restore software independence?
>
> Judson Neer
>
> /Director of Engineering/
>
>
> Everyone Counts, Inc.
>
> Phone: 937.902.7765
>
> Email: judso...@everyonecounts.com
> <mailto:judso...@everyonecounts.com>
>
> Website: www.everyonecounts.com <http://www.everyonecounts.com>
>
>
> <https://www.facebook.com/EveryoneCountsInc>
> <https://twitter.com/EveryoneCounts>
> <https://www.linkedin.com/company/everyone-counts-inc.>
>
>
> The information in this email, including any attachments, is
> confidential and intended solely for the use of the person or entity to
> which it is addressed. If you are not the intended recipient you are
> notified that disclosing, copying, distributing or taking any action in
> reliance on the contents of this information is prohibited. Please
> notify the sender if you have received this message by mistake and
> delete this email from your system. Thank you.
>
>
> On Fri, Apr 27, 2018 at 9:20 AM, Kevin Skoglund <ke...@kevinskoglund.com
> <mailto:ke...@kevinskoglund.com>> wrote:
>
> You are correct, and I apologize for my sloppy writing. I can see
> how "danger" came across as a loaded word. I should rephrase it.
>
> "There is a chance that a petitioner will ask for a machine recount
> and the barcodes will be scanned again. There is a chance that a
> jurisdiction will scan barcodes while performing audits."
>
> My point was about the lack of software independence when either
> scenario occurs.
>
> Best,
> Kevin Skoglund
>
>
> > On Apr 27, 2018, at 11:57 AM, Keith Ingram <KIn...@sos.texas.gov
> vvsg-cybersecur...@list.nist.gov
> <mailto:vvsg-cybersecurity%2Bunsu...@list.nist.gov>
> > Visit this group at
> https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> <https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity>
> > ---
> > You received this message because you are subscribed to the
> Google Groups "vvsg-cybersecurity" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send an email to vvsg-cybersecur...@list.nist.gov
> <mailto:vvsg-cybersecurity%2Bunsu...@list.nist.gov>.
> >
> >
>
> --
> To unsubscribe from this group, send email to
> vvsg-cybersecur...@list.nist.gov
> <mailto:vvsg-cybersecurity%2Bunsu...@list.nist.gov>
> Visit this group at
> https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> <https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity>
> ---
> You received this message because you are subscribed to the Google
> Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to vvsg-cybersecur...@list.nist.gov
> <mailto:vvsg-cybersecurity%2Bunsu...@list.nist.gov>.
>
>
> --
> To unsubscribe from this group, send email to
> vvsg-cybersecur...@list.nist.gov
> Visit this group at
> https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> ---
> You received this message because you are subscribed to the Google
> Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to vvsg-cybersecur...@list.nist.gov
> <mailto:vvsg-cybersecur...@list.nist.gov>.

David Wallick

unread,
Apr 27, 2018, 9:30:28 PM4/27/18
to John Sebes, Judson Neer, Kevin Skoglund, vvsg-cybersecurity
If the barcode format is of standard form either from current other industry standards or by design of CDF format within elections (not that that work is happening now but leaving it open for future possibility) then it is reasonable to believe a third party auditing product could be made and used to read the barcode data for some auditing process that may look similar to currently proposed RLA type audits. As far as marking a ballot post barcode generation there may need for to be a process requirement that essentially invalidates a ballot that a voter marks after printing (this presumes a barcode with vote selections printed on a ballot is done from some type of BMD device) similar to how paper ballots now have some invalidating conditions such as when a voter signs their name to an actual ballot rather than the envelope for return of an paper absentee ballot return. IF the barcode exists only on a VVPAT we'd need to discuss voter access to VVPATs potentially. VVSG 1.0 talks specifically about making VVPATs viewable but not obtainable or touchable by a voter, although VVSG 1.1 proposes the idea of cut sheet VVPAT which may or may not involve direct voter interaction with the piece of paper. Either way, I think there are ways to deal with the possibility of a voter marking something on either a ballot with a barcode or a VVPAT with a barcode. These may come down to jurisdictionally determined processes for how they want to handle those situations. I am not convinced that is a problem we need to solve here although we may choose to provide suggestions. 

On Fri, Apr 27, 2018 at 2:25 PM, John Sebes <jse...@osetfoundation.org> wrote:
Judson,

I would venture a tentative "yes" with the proviso that the in the
audit, the barcode reading has to be done by a device that's independent
of the voting system product that wrote the barcode, and that coding
would have to be in an industry standard format (because of the Fram
factor).

Another important part of such an audit would be detection of cases
where a human mark placed after the barcode imprint might create a
ballot for which the barcode doesn't match the voter's intent as evident
to a human review.

John Sebes

Judson Neer wrote:
> Kevin (and others),
>
> Could a manual audit of some percentage of ballots that compares the
> contents of the barcode to the printed marks, in conjunction with a
> larger set of ballots audited via barcode scan, serve to give adequate
> confidence in the results, and restore software independence?
>
> Judson Neer
>
> /Director of Engineering/

>
>
> Everyone Counts, Inc.
>
> Phone: 937.902.7765
>
> Email: judso...@everyonecounts.com
>
>
> The information in this email, including any attachments, is
> confidential and intended solely for the use of the person or entity to
> which it is addressed. If you are not the intended recipient you are
> notified that disclosing, copying, distributing or taking any action in
> reliance on the contents of this information is prohibited. Please
> notify the sender if you have received this message by mistake and
> delete this email from your system. Thank you.
>
>
> On Fri, Apr 27, 2018 at 9:20 AM, Kevin Skoglund <ke...@kevinskoglund.com
> <mailto:kevin@kevinskoglund.com>> wrote:
>
>     You are correct, and I apologize for my sloppy writing. I can see
>     how "danger" came across as a loaded word. I should rephrase it.
>
>     "There is a chance that a petitioner will ask for a machine recount
>     and the barcodes will be scanned again. There is a chance that a
>     jurisdiction will scan barcodes while performing audits."
>
>     My point was about the lack of software independence when either
>     scenario occurs.
>
>     Best,
>     Kevin Skoglund
>
>
>      > On Apr 27, 2018, at 11:57 AM, Keith Ingram <KIn...@sos.texas.gov

>      > Visit this group at
>     https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
>     <https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity>
>      > ---
>      > You received this message because you are subscribed to the
>     Google Groups "vvsg-cybersecurity" group.
>      > To unsubscribe from this group and stop receiving emails from it,
>     send an email to vvsg-cybersecurity+unsub...@list.nist.gov

>      >
>      >
>
>     --
>     To unsubscribe from this group, send email to
>     vvsg-cybersecurity+unsub...@list.nist.gov

>     Visit this group at
>     https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
>     <https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity>
>     ---
>     You received this message because you are subscribed to the Google
>     Groups "vvsg-cybersecurity" group.
>     To unsubscribe from this group and stop receiving emails from it,
>     send an email to vvsg-cybersecurity+unsub...@list.nist.gov

>
>
> --
> To unsubscribe from this group, send email to
> vvsg-cybersecurity+unsub...@list.nist.gov
> Visit this group at
> https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
> ---
> You received this message because you are subscribed to the Google
> Groups "vvsg-cybersecurity" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to vvsg-cybersecurity+unsub...@list.nist.gov

Kevin Skoglund

unread,
Apr 30, 2018, 11:15:17 AM4/30/18
to vvsg-cybersecurity
If we add requirements to ensure that barcodes are not proprietary but are in an interoperable, publicly-available format, then barcodes will no longer conflict with Principle 4: Interoperable.

If we add requirements to ensure that barcodes do not contain data or metadata associated with the CVR, then barcodes will no longer conflict with Principle 10: Ballot Secrecy.

I misinterpreted guideline 3.2. I now believe "for inspection" does not mean for inspection by the public but for inspection by testers. I no longer think it is a conflict.

There are four remaining conflicts to review: 3.3, 7.3, 9.1, 14.2. I will attempt to advance our discussions on these four guidelines. (I apologize for the length. It seemed better than writing 4 separate emails.)

---

> Principle 3: TRANSPARENT
> The voting system and voting processes are designed to provide transparency.
> 3.3 - The public can understand and verify the operations of the voting system throughout the entirety of the election.

This principle exists to increase trust in the voting system. With barcodes, voters can see a secret message is being passed and wonder what it says. Obfuscation reduces trust.

If two foreign language speakers I did not know well were discussing me and I couldn't speak their language, I would wonder what was being said. If one of them told me, I would not trust it was accurate and complete. (This is the reason diplomats each bring their own translator to negotiations.) Communication one can witness but not understand is not transparent and reduces trust.

The idea of using cellphones to read barcodes which contain only human-readable text inside is interesting. However, we should remember that voters who do not own smart phones or do not have them on hand would not be able to read them. Would that satisfy our transparency principal?

---

> Principle 7: MARKED, VERIFIED, AND CAST AS INTENDED
> Ballots and vote selections are presented in a perceivable, operable, and understandable way and can be marked, verified, and cast by all voters.
> 7.3 - Voters can understand all information as it is presented, including instructions, messages from the system, and error messages.

The fundamental idea is that a voter should have the information they need to make the choice to cast or to reject the ballot. If a voter can't read what is being cast, then a voter can't make an informed choice or know that their vote was cast as intended.

Bernie Hirsch wrote: "If the barcode is scanned and interpreted for the voter (either orally or through a digital display) then they can "understand all information as it is presented," since the information would include either a visual or aural interpretation."

I read the requirement differently. If a paper record contains a barcode and a human-readable version, then "all information" is not understandable. If it requires a visual or aural interpretation to be understood, then it is not "as it is presented".

---

> Principle 9: AUDITABLE
> The voting system is auditable and enables evidence-based elections.
> 9.1 - An error or fault in the voting system software or hardware cannot cause an undetectable change in election results.
> 9.1-B.1– Voter verification
> Tamper-evident records must provide individual voters the opportunity to verify that the voting system correctly interpreted their ballot selections. (paper-based only)
> 9.1-F.5– Identification of errors
> The voter must have the opportunity to identify ballot errors before it is cast. (paper-based only)

This guideline is almost word-for-word the concept of software independence [https://en.wikipedia.org/wiki/Software_independence]. In simple terms it means to never trust any part of the system being audited.

It is not just for software. When my wife was a litigator, she worked cases where financial managers sent clients fake accounting statements after losing their money. A good financial audit would not allow those managers to participate in any way. Even small participation might give them an opportunity to influence the audit results. We do not know in advance if the manager is crooked, so we make a practice of excluding all managers and using only original source materials and third-party evaluation.

If the software or hardware in systems which print barcodes to be later read by a tabulator had an error or fault that changed the results, would it be undetectable?

If the voter can't read the barcode "to verify that the voting system correctly interpreted their ballot selections" and "identify ballot errors before it is cast" then the voter would not detect it. If barcodes were also used during recounts and audits (which may be more common than not) then they would not detect it.

One issue is scope. This group has a say about whether the voter verifies a barcode, but none in whether barcodes are rescanned. Recounts and audits are procedures. We cannot prevent using audit procedures that might fail to detect changes to the results, short of removing the feature altogether.

Judson Neer suggested a mini-audit of the correctness of the barcoding in addition to a larger audit that rescans the barcodes might restore software independence. Several people thought it could be feasible with a third-party scanner. I agree, but that is also a procedure that would be out of scope.

I would suggest that since we are fortunate to work with Ron Rivest and John Wack, who developed the principle of software independence, we should ask for their thoughts and guidance. What does "undetectable" mean in practical terms?

---

> Principle 14: SYSTEM INTEGRITY
> The voting system performs its intended function in an unimpaired manner, free from unauthorized manipulation of the system, whether intentional or accidental.
> 14.2 - The voting system limits its attack surface by reducing unnecessary code, data paths, physical ports, and by using other technical controls.

Barcodes do increase the attack surface. Whether they are in conflict with this guideline depends on if you think they are necessary. Bernie Hirsch said, "The idea isn't to eliminate all attack surfaces, but to protect the ones that are needed or desirable." I agree. If barcodes are necessary, then we accept the security tradeoff and try to mitigate security issues. If they are not necessary, then we have to weigh their benefits against the security issues, and consider the pros and cons of alternatives.

I believe they are not necessary because the voting system can precisely control the printing (choose format and layout, add registration marks, etc.) and modern scanners can accurately read far less precise marks on hand-marked ballots. It would not have to be a full-size ballot. On thermal paper it could be a miniature representation of a ballot or use candidate position numbers next to their human-readable names.

Examples:

President
[ ] George Washington
[ ] John Adams
[X] Thomas Jefferson

President
[3] Thomas Jefferson

The second example depends on OCR, but under the best possible circumstances.

I realize this represents a paradigm shift from the current systems, but it does not appear to be technologically difficult. Can anyone explain why it would be?


Best,
Kevin Skoglund


Schneider, Marc I

unread,
Apr 30, 2018, 12:18:50 PM4/30/18
to Kevin Skoglund, vvsg-cybersecurity
Kevin,

Thank you for this excellent analysis.

Thanks,
Marc Schneider
Office: 703-983-0487
Cell: 703-667-0586

-----Original Message-----
From: Kevin Skoglund [mailto:ke...@kevinskoglund.com]
Sent: Monday, April 30, 2018 11:15 AM
To: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.


grln...@aol.com

unread,
Apr 30, 2018, 6:45:59 PM4/30/18
to mschn...@mitre.org, ke...@kevinskoglund.com, vvsg-cybe...@list.nist.gov
Kevin,

I also thank you this analysis. At first glance, I like your suggestion for candidate position numbers.  What are the pros and cons of this suggestion?

On the call last Friday, two main uses for barcodes were mentioned: 

1. Voting machines encoding voters' selections.

2. E-poll machines encoding the ballot style so that BMDs will display the correct ballot style.

I believe that your analysis was primarily dealing with the first, right? On the call, there was only a brief discussion on why such encoding  of voters' selections is desired by some.  I am still not sure I understand the reasons.  If it is about processing time, would it be an issue for in-polling place voting as well as central count? In polling places where votes have to approach the machine and insert their ballots, aren't voters sufficiently spread out in terms of time that processing time should not be a major factor?  Would your suggestion of candidate position numbers be much slower to process than barcodes?

What about the second issue, barcodes for ballot styles?  Could something similar to your suggestion apply to encoding ballot style?  Could the human readable number of the ballot style be used instead of a barcode? If there were a human readable number instead of a barcode, then voters would not be nervous that their identity is encoded in the barcode.  It comes back to the issue of trust that you raised.  Before allowing barcodes for encoding ballot style, we should take a hard look at Principle 3, Transparent and Principle 10, ballot secrecy.

Are there other uses for barcodes that are being considered besides these two?

Best,

Lynn




-----Original Message-----
From: Schneider, Marc I <mschn...@mitre.org>
To: Kevin Skoglund <ke...@kevinskoglund.com>; vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Sent: Mon, Apr 30, 2018 12:18 pm
Subject: RE: [vvsg-cybersecurity] Barcodes on ballots

To unsubscribe from this group, send email to vvsg-cybersecurit...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurit...@list.nist.gov.


--
To unsubscribe from this group, send email to vvsg-cybersecurit...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurit...@list.nist.gov.

Bernie Hirsch

unread,
Apr 30, 2018, 8:44:54 PM4/30/18
to grln...@aol.com, mschn...@mitre.org, ke...@kevinskoglund.com, vvsg-cybe...@list.nist.gov

Regarding use of barcodes printed onto paper (in addition to human readable print) for voters’ selections:

 

Take the case of voter selections accompanied by a single 2D barcode printed onto a VVPAT thermal paper ballot used by a DRE as a voter verified “backup” for use during a post-election audit or recount.  In this case the DRE electronic CVR (not the paper CVR) would be the ballot of record.  Thermal paper (a 2”-4” wide receipt type strip) would not lend itself to OCR scanning due to the nature of the paper, but would allow the holding of each ballot’s barcode in front of a scanner by hand, like scanning items in a checkout line at the grocery.  The scanned vote selections on a display could be compared to each ballot’s human readable contents before scanning the next ballot.  Another advantage of barcode scanning over OCR is that barcodes allow integrity checking of the data, whereas raw scanned items (optical mark, OCR) are much more prone to error.  And finally, a single 2D barcode could contain around 4,000 characters of text, more than enough data to store a complete CVR, including the ballot style, precinct and activation along with voter selection locations for a long ballot.

 

About 10 years ago I attended a meeting for voting system manufacturers hosted by the EAC.  The speaker was Merle King from Kennesaw State University’s Center for Election Systems in Georgia (now retired).  During his presentation he showed us a study comparing the accuracy of different voting technologies.  According the information on his slide overall DRE accuracy (including voter error, etc.) was less than .5%, while paper mark scanning exceeded an 8% overall error rate.  That number certainly had an impact on me.

 

I’m not a big fan of paper as a storage medium in general because of the tremendous usability and accessibility issues associated with the technology.  When the accuracy problems of optical mark or OCR scanning are factored in, the picture gets even worse.  I’d much rather see our community leverage the many thousands of hours and millions of dollars spent independently testing and certifying our systems over a number of years by conducting PEPCS audits (Pre or Post-Election Physical and Cybersecurity Sweep) to assure that the configuration of the system is unmodified from the certified version comparing digital signatures and our required System Identification Tools supplied with each voting system.  Barcode technology at least mitigates to a certain degree the inherent difficulties of accurately reading voter intent using optical mark, OCR scanning or (perish the thought) a complete hand count of paper ballots.  Also keep in mind that re-counting a few thousand sampled paper ballots (or a whole state) is a tremendously tedious and time-consuming undertaking.  Making the job less onerous and more accurate means jurisdictions are more likely to conduct meaningful recounts or audits.

 

Bernie Hirsch

MicroVote General Corp.

 

From: grlndlynn via vvsg-cybersecurity [mailto:vvsg-cybe...@list.nist.gov]
Sent: Monday, April 30, 2018 18:46
To: mschn...@mitre.org; ke...@kevinskoglund.com; vvsg-cybe...@list.nist.gov
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

 

Kevin,

To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.


--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.


Virus-free. www.avg.com

Kevin Skoglund

unread,
Apr 30, 2018, 9:25:22 PM4/30/18
to vvsg-cybersecurity
On the call last Friday, two main uses for barcodes were mentioned: 

1. Voting machines encoding voters' selections.

2. E-poll machines encoding the ballot style so that BMDs will display the correct ballot style.

I believe that your analysis was primarily dealing with the first, right?

Yes, I have been focusing on the first one.  It seems like the more important and complicated piece. And our decisions there may guide the other use cases.

On ballot style barcodes, I think we also agreed that they must be in an interoperable, publicly-available format and may not contain data or metadata that would violate ballot secrecy. You are correct that there would be a similar issue of trust related to transparency.

Are there other uses for barcodes that are being considered besides these two?

The only other one that comes to mind is for a voting receipt. Receipts are uncommon now, but have been discussed for future systems. They would be most useful for storing a long string of letters and numbers (a hash or an identifier), so that the voter could reference their vote later without having to type them all in.

Best,
Kevin

Kevin Skoglund

unread,
Apr 30, 2018, 9:37:23 PM4/30/18
to vvsg-cybersecurity
Bernie,

> Thermal paper (a 2”-4” wide receipt type strip) would not lend itself to OCR scanning due to the nature of the paper

Could you elaborate on why thermal paper does not lend itself to OCR? Is this true for both optical and digital scanners?

> Another advantage of barcode scanning over OCR is that barcodes allow integrity checking of the data

How is the integrity of barcoded data checked? Are there systems that do this now or is it theoretical?

> And finally, a single 2D barcode could contain around 4,000 characters of text, more than enough data to store a complete CVR, including the ballot style, precinct and activation along with voter selection locations for a long ballot.

Other ballot representations could contain this data and more. This seems like an argument for better data compression and speed.

> About 10 years ago I attended a meeting for voting system manufacturers hosted by the EAC. The speaker was Merle King from Kennesaw State University’s Center for Election Systems in Georgia (now retired). During his presentation he showed us a study comparing the accuracy of different voting technologies. According the information on his slide overall DRE accuracy (including voter error, etc.) was less than .5%, while paper mark scanning exceeded an 8% overall error rate. That number certainly had an impact on me.

10 years is a long time. Weren't most scanners optical and not digital then? Vendors have done an amazing job improving the software that reads hand-marked paper ballots. Does anyone know of more recent data on this point? Or even just the current error rate of paper mark scanning? I'd be surprised to hear it is 8% today.

Best,
Kevin

Kevin Skoglund

unread,
Apr 30, 2018, 9:53:08 PM4/30/18
to vvsg-cybersecurity
It occurred to me 10 minutes after sending my last email that a public discussion about the accuracy of mark reading is probably not something this group should engage in.

So ignore that portion, please. My apologies.

Kevin

Wack, John (Fed)

unread,
May 1, 2018, 10:41:45 AM5/1/18
to vvsg-cybersecurity

Hi everyone,


Some additional info if you don't already have this:


NIST has been preparing a common data format for cast vote records, and we've had very good help in this from a variety of different groups - manufacturers, auditing people, many others.  The model is considered complete and the specification is in final stages - I am redrawing some images and creating worked examples, and then it's ready for review.


The specification includes the capability for cast vote records to contain a number of items in addition to the voted contests and contest selections, including the ballot style, the creating device ID, sheet number if a multi-sheet paper ballot, corresponding paper ballot ID if this ID is impressed by the printer or possibly included in the bar code created by a BMD, party associated with the ballot if a partisan primary, positions associated with 'bubbles' on the ballot, and so on.  The current version of the specification is at


https://github.com/usnistgov/CastVoteRecords


and you can read about what the cast vote record has the capability to contain.  


A BMD may encode, in a bar code, some of this information (manufacturers on this list will know this better than me).  It could additionally print out the ballot style, bubble positions, etc.  My opinion is that while transparency is improved a little if this additional info is printed, at the same time this same information is not necessarily known or obvious to the voter who is voting a paper ballot.  


One issue is that if a ballot scanner impresses an ID on a paper ballot so that the ID can be stored in the corresponding cast vote record, the voter doesn't see the impressed ID and privacy is thus preserved.  If the BMD were to generate an ID and place it in the bar code so that the scanner can then store it in the corresponding cast vote record, I doubt whether the ID should be printed in human readable form; obscuring it in a bar code would prevent a voter or someone else from easily remembering the number.


At any rate, what I'm saying is that the cast vote record contains additional items beside contests and contest selections; voters casting paper ballots don't necessarily see these items; a BMD would likely encode those items in a bar code and depending on requirements, it could also print them out in human-readable form.  It's not my purpose here to debate the value of printing them or not (except for the impressed ID issue), but these items do need to get put into the cast vote record so that the proper reporting of the election and auditing can be conducted.


Cheers, John



Cheers, John

---
John P. Wack
john...@nist.gov


From: Kevin Skoglund <ke...@kevinskoglund.com>
Sent: Monday, April 30, 2018 09:53 PM
To: vvsg-cybersecurity

Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
It occurred to me 10 minutes after sending my last email that a public discussion about the accuracy of mark reading is probably not something this group should engage in.

So ignore that portion, please. My apologies.

Kevin

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
Google Groups allows you to create and participate in online forums and email-based groups with a rich experience for community conversations.



Schneider, Marc I

unread,
May 1, 2018, 11:21:27 AM5/1/18
to Bernie Hirsch, grln...@aol.com, ke...@kevinskoglund.com, vvsg-cybe...@list.nist.gov

Bernie,

 

If the paper audit trail contains a barcode, is it really voter verified? Add a human readable representation, and then we’re back to the issue of what if the barcode and human readable versions differ?

 

Why do you say that thermal paper wouldn’t lend itself to OCR?

 

Thanks,

Marc Schneider

Office: 703-983-0487

Cell: 703-667-0586

 

Bernie Hirsch

unread,
May 1, 2018, 4:31:59 PM5/1/18
to Kevin Skoglund, vvsg-cybersecurity


-----Original Message-----
From: Kevin Skoglund [mailto:ke...@kevinskoglund.com]
Sent: Monday, April 30, 2018 21:37
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

Bernie,

> Thermal paper (a 2”-4” wide receipt type strip) would not lend itself to OCR scanning due to the nature of the paper

Could you elaborate on why thermal paper does not lend itself to OCR? Is this true for both optical and digital scanners?

[Bernie Hirsch] Imagine a thermal printed receipt at the grocery store. These types of printers are not fantastic at printing precisely registered images onto paper and somewhat resemble the quality of a printed newspaper at best. As a contrast the resolution comes nowhere close to the quality of a good magazine image created on a sheet-fed press. The transport mechanism is usually fairly basic as well. The paper quality, chemical composition and thickness are difficult to control through a series of fairly rudimentary roller mechanisms in many scanners, especially for narrow long ballots. None of these shortcomings affect the effectiveness of a barcode (which is why they're so widely used on all types of packaging, shipping labels, etc.). Our current scanners have a difficult enough time interpreting simple marks on a page within a defined area. Imagine compounding that issue by introducing variable human-readable characters.

Regarding "optical and digital scanners" please keep in mind that ALL scanners that use printed paper technology begin with an analog medium - light. That analog optical information is captured by a scanner and then must be converted to a digital signal and interpreted. Certain types of scanners are better or worse at capturing the good stuff and ignoring the bad. The image might then be subjected to a series of complicated algorithms to try and determine whether or not the voter actually intended to mark a specific location on the ballot. A target area could be determined based on a number of alignment factors and then varying amount of reflected light within the target area used to create a weighting system for each little dot, all in the effort to try and guess what the voter really meant when their pencil brushed that circle, or the thermal image was a little fuzzy or light or dark, etc.


> Another advantage of barcode scanning over OCR is that barcodes allow integrity checking of the data

How is the integrity of barcoded data checked? Are there systems that do this now or is it theoretical?

[Bernie Hirsch] It's not theoretical. Almost all 1D and 2D barcodes include a check digit and/or error correction of one type or another to maintain integrity, often built into the symbology and not part of the barcode data itself. As an example Code 128 uses a check digit and QR code uses ECC error correction. This is why you often wave a barcode around a bit in front of the scanner before being read. The scanner can optically see the code and is scanning it, but hasn't yet successfully confirmed the integrity of the data using the error checking built into the barcode.

> And finally, a single 2D barcode could contain around 4,000 characters of text, more than enough data to store a complete CVR, including the ballot style, precinct and activation along with voter selection locations for a long ballot.

Other ballot representations could contain this data and more. This seems like an argument for better data compression and speed.

[Bernie Hirsch] yes but the 2D barcode compresses that data into a very small physical area on the ballot, greatly increasing the usability of the technology. It eliminates all of that transport, alignment, stray marks, proprietary algorithms and character interpretation inherent in other technologies. And it's all based on a common, well-vetted set of interoperable standards used universally by many industries.

> About 10 years ago I attended a meeting for voting system manufacturers hosted by the EAC. The speaker was Merle King from Kennesaw State University’s Center for Election Systems in Georgia (now retired). During his presentation he showed us a study comparing the accuracy of different voting technologies. According the information on his slide overall DRE accuracy (including voter error, etc.) was less than .5%, while paper mark scanning exceeded an 8% overall error rate. That number certainly had an impact on me.

10 years is a long time. Weren't most scanners optical and not digital then? Vendors have done an amazing job improving the software that reads hand-marked paper ballots. Does anyone know of more recent data on this point? Or even just the current error rate of paper mark scanning? I'd be surprised to hear it is 8% today.

[Bernie Hirsch] The basic properties of light haven't changed in 10 years. We always strive to improve over time, but there are still problems. And isn't one of the guiding principles behind using all of this paper is that we don't trust all of that software code being used to interpret the raw analog light data? Otherwise why even bother with paper in the first place?

My best,
Bernie


---
This email has been checked for viruses by AVG.
http://www.avg.com

Bernie Hirsch

unread,
May 1, 2018, 6:15:38 PM5/1/18
to Kevin Skoglund, vvsg-cybersecurity
I'm working a primary election today and just scanned in a bunch of paper ballots. Yes, the error rate still hovers around 8% for paper ballots, even 10 years later. Why? Because voters make lots of errors that DRE's eliminate. I've scanned a number of ballots where voters X'd out one filled-in entry and filled in another, over-voting the office. Just read several where the voter filled in an invalid voting location (no candidate). We also had some spoiled paper ballots because two different ballot styles were mailed to the same address (husband/wife, etc.) and they switched the ballots when inserting them into the return envelopes, invalidating the activation. So basically a large contributing factor to the error rate with scanned paper ballots is voter error, not necessarily scanning error (although that's still an issue). All of this is eliminated when voting by machine.

And regarding this notion of software independence for voter verified human-readable ballots, I'm suggesting that a VVPAT or precinct-scanned ballot that has BOTH human-readable and barcode is just as valid as one lacking a barcode. A paper ballot that is tabulated using OCR or optical/digital mark detection is still completely dependent on software and hardware. The scanning algorithms must determine what the marks mean and determine whether or not to assign that selection to a candidate or referendum. The only question is how difficult and inaccurate do we want to make those processes. If those ballots are hand counted or audited then the human readable information would be all that matters, regardless of any software dependence or extraneous codes on the voter-verified ballot.

Bernie Hirsch

-----Original Message-----
From: Kevin Skoglund [mailto:ke...@kevinskoglund.com]
Sent: Monday, April 30, 2018 21:37
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.



Lou

unread,
May 1, 2018, 7:43:44 PM5/1/18
to vvsg-cybe...@list.nist.gov

Greetings all. Last Thursday, I attended a demonstration of new voting machines in Harrisburg PA with 5 different vendors displaying there wares. All of them had paper backed ballots, now being required by PA Governor Wolf. As I have been studying this thread on bar codes, my question is this: Are there any commercially available programs, for any smartphone, that can accurately decode and display what the bar code translates into? Vendors who were there are ES&S, Hart Verity, Unisyn, Dominion Voting, and Clearballot. Thank you all in advance for the work you do.

Bernie Hirsch

unread,
May 1, 2018, 7:58:54 PM5/1/18
to Lou, vvsg-cybe...@list.nist.gov

--

To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.


Virus-free. www.avg.com

Maurice Turner

unread,
May 1, 2018, 8:07:22 PM5/1/18
to Lou, vvsg-cybe...@list.nist.gov
Scandit works very well. It’s mentioned on the camcode list from Bernie.

--
Maurice Turner | Senior Technologist
Center for Democracy & Technology | cdt.org
E: mau...@cdt.org | D: 202.407.8819| T: @TypeMRT

Susan Greenhalgh

unread,
May 1, 2018, 8:45:43 PM5/1/18
to Lou, vvsg-cybe...@list.nist.gov
I hope the vendors will weigh in here and correct me if I’m wrong but my understanding is that all the systems currently on the market that encode vote choices in a barcode use proprietary tech and cannot be decoded by any commercial off the shelf scanners. 

Sent from my iPad

Judson Neer

unread,
May 1, 2018, 8:53:25 PM5/1/18
to Susan Greenhalgh, Lou, vvsg-cybersecurity
Let's be careful not to conflate the encoding of the barcode itself (of which there are a number of well-documented industry standards) with the encoding of the content within the barcode.

I'd wager an educated guess that most everyone uses an industry-standard barcode encoding, but few if any follow a standard for the content (since there isn't such a thing just yet, though VVSG 2.0 might have something to say about that).

Judson Neer

Director of Engineering


Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com


      


The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.

On Tue, May 1, 2018 at 5:45 PM, Susan Greenhalgh <segree...@gmail.com> wrote:
I hope the vendors will weigh in here and correct me if I’m wrong but my understanding is that all the systems currently on the market that encode vote choices in a barcode use proprietary tech and cannot be decoded by any commercial off the shelf scanners. 

Sent from my iPad

On May 1, 2018, at 7:42 PM, Lou <l...@realchange.us> wrote:

Greetings all. Last Thursday, I attended a demonstration of new voting machines in Harrisburg PA with 5 different vendors displaying there wares. All of them had paper backed ballots, now being required by PA Governor Wolf. As I have been studying this thread on bar codes, my question is this: Are there any commercially available programs, for any smartphone, that can accurately decode and display what the bar code translates into? Vendors who were there are ES&S, Hart Verity, Unisyn, Dominion Voting, and Clearballot. Thank you all in advance for the work you do.


On 5/1/2018 6:15 PM, Bernie Hirsch wrote:
I'm working a primary election today and just scanned in a bunch of paper ballots.  Yes, the error rate still hovers around 8% for paper ballots, even 10 years later.  Why?  Because voters make lots of errors that DRE's eliminate.  I've scanned a number of ballots where voters X'd out one filled-in entry and filled in another, over-voting the office.  Just read several where the voter filled in an invalid voting location (no candidate).  We also had some spoiled paper ballots because two different ballot styles were mailed to the same address (husband/wife, etc.) and they switched the ballots when inserting them into the return envelopes, invalidating the activation.  So basically a large contributing factor to the error rate with scanned paper ballots is voter error, not necessarily scanning error (although that's still an issue). All of this is eliminated when voting by machine.

And regarding this notion of software independence for voter verified human-readable ballots, I'm suggesting that a VVPAT or precinct-scanned ballot that has BOTH human-readable and barcode is just as valid as one lacking a barcode.  A paper ballot that is tabulated using OCR or optical/digital mark detection is still completely dependent on software and hardware.  The scanning algorithms must determine what the marks mean and determine whether or not to assign that selection to a candidate or referendum.  The only question is how difficult and inaccurate do we want to make those processes.  If those ballots are hand counted or audited then the human readable information would be all that matters, regardless of any software dependence or extraneous codes on the voter-verified ballot.

Bernie Hirsch

-----Original Message-----
From: Kevin Skoglund [mailto:kevin@kevinskoglund.com] 
Sent: Monday, April 30, 2018 21:37
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

Bernie,


Thermal paper (a 2”-4” wide receipt type strip) would not lend itself to OCR scanning due to the nature of the paper

Could you elaborate on why thermal paper does not lend itself to OCR? Is this true for both optical and digital scanners?


Another advantage of barcode scanning over OCR is that barcodes allow integrity checking of the data

How is the integrity of barcoded data checked? Are there systems that do this now or is it theoretical?


And finally, a single 2D barcode could contain around 4,000 characters of text, more than enough data to store a complete CVR, including the ballot style, precinct and activation along with voter selection locations for a long ballot.

Other ballot representations could contain this data and more. This seems like an argument for better data compression and speed.


 About 10 years ago I attended a meeting for voting system manufacturers hosted by the EAC.  The speaker was Merle King from Kennesaw State University’s Center for Election Systems in Georgia (now retired).  During his presentation he showed us a study comparing the accuracy of different voting technologies.  According the information on his slide overall DRE accuracy (including voter error, etc.) was less than .5%, while paper mark scanning exceeded an 8% overall error rate.  That number certainly had an impact on me.

10 years is a long time. Weren't most scanners optical and not digital then? Vendors have done an amazing job improving the software that reads hand-marked paper ballots. Does anyone know of more recent data on this point? Or even just the current error rate of paper mark scanning?  I'd be surprised to hear it is 8% today.

Best,
Kevin

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

Duncan Buell

unread,
May 1, 2018, 9:03:52 PM5/1/18
to grlndlynn via vvsg-cybersecurity, Lou, Greenhalgh Susan
This is where the Fram oil filter meme needs to be invoked.

It’s not that the barcode cannot be scanned. I was able with more than one scanner to scan an ExpressVote bar code.

However, scanning to detect the numerical value of the bar code is not the same as being able to verify that the numerical value had meaning as a cast vote. That, I think, is what is being kept proprietary. One of my commercial scanners came up with the code for Bernie Sanders in a primary as a Fram oil filter.

And this is my problem with barcodes. It is absolutely ludicrous to say that a voter can verify her ballot if what she is permitted to read is the English summary, but she is not entitled to full disclosure of what the barcode (that which is scanned as “the cast vote”) really means. I would still contend, then, that if “voter verifiable” is to have any meaning at all, then there are only a few options if the barcodes are what are going to be used for counting that which is deemed to be a cast vote.

1) There is a statistical audit of bar codes against English text to verify that barcodes match up with English text.
2) The voter is permitted ballot selfies with smartphones so that crowdsourcing of barcodes with other voters does the same verification as in 1) above.
3) There’s a huge poster in every precinct with the barcodes and their interpretations so that the voter can look at the barcode numbers (which better be printed there under the code itself) and verify that that numerical sequence is in fact a vote for Clem Kadiddlehopper for dogcatcher.

Option 3) ain’t never going to happen, for several reasons. It’s a full transparency and disclosure method that will be impossible to implement and would lead to long lines.

Option 2) is problematic for several states.

Option 1) would thus be in almost all situations mandated…

or else “voter verifiable” becomes totally meaningless.

Is there an option 4) that allows the voter to look at the bar code in real time, know what it means, and know that it corresponds with her intended cast?

After all these years of talking about software independence, it is just wrong to reject it in favor of barcodes. That’s not a step forward; that’s a crawfish step.

Duncan Buell
duncan...@gmail.com



Bernie Hirsch

unread,
May 1, 2018, 9:22:45 PM5/1/18
to Duncan Buell, grlndlynn via vvsg-cybersecurity, Lou, Greenhalgh Susan
Are you suggesting that the presence of a barcode somehow invalidates the human readable information on the same ballot? Procedures would dictate whether any software would be used to scan and interpret barcodes, optical characters or marks on a piece of paper. The presence of the entire ballot in human readable form leaves software independence on the table.

Bernie Hirsch

Bernie Hirsch

unread,
May 1, 2018, 9:32:01 PM5/1/18
to Duncan Buell, grlndlynn via vvsg-cybersecurity, Lou, Greenhalgh Susan
There's probably more than one person named Bill Clinton or George Bush in the world, too. That doesn't stop us fron using the letters in their non-unique key within the election environnent. Maybe we were actually voting for an oil filter?

Bernie Hirsch


On May 1, 2018 8:03:47 PM CDT, Duncan Buell <duncan...@gmail.com> wrote:

Nelson Rosario

unread,
May 1, 2018, 11:43:36 PM5/1/18
to Bernie Hirsch, Duncan Buell, vvsg-cybe...@list.nist.gov, Lou, Greenhalgh Susan
Bernie, I must say for someone running an election today I'm impressed you've been able to be so responsive to this listserv.

Lut...@ctvoterscount.org

unread,
May 2, 2018, 3:59:17 AM5/2/18
to vvsg-cybersecurity
That is far from what I have experienced.

For several years I was responsible for central absentee counting. We went over every ballot to pull all those that MIGHT have had problems if read by the scanner. Anecdotally, we pulled about 2-3% of ballots. All were counted except the 1% or so that were overvotes. DRE's would not solve them as they were absentees.

In a polling place overvotes are not a problem since they are rejected by the scanners.

From attending numerous recanvasses (electronic recounts in CT), all ballots are reviewed by hand and pulled for a handcount if there are any marks that MIGHT not be counted by machine. The usual result is 1-3 more votes for each candidate for a few thousand votes, with less change in the margin since often each candidate picks up some votes.

Thanks,
Luther



-----Original Message-----
From: Bernie Hirsch <bhi...@microvote.com>
Sent: Tuesday, May 1, 2018 6:15 PM
To: 'Kevin Skoglund' <ke...@kevinskoglund.com>; 'vvsg-cybersecurity' <vvsg-cybe...@list.nist.gov>
Subject: RE: [vvsg-cybersecurity] Barcodes on ballots

Bernie Hirsch

unread,
May 2, 2018, 7:55:12 AM5/2/18
to Lut...@ctvoterscount.org, vvsg-cybersecurity
"DRE's would not solve them as they were absentees." The failings of voting absentee on paper don't go away because the current iteration of DRE's don't "solve" them.

Perhaps a future system built to the 2.0 (or other) standards can leverage new technologies or innovate ideas to mitigate the flaws inherent in paper voting? We're not obligated to repeat the mistakes of the past, are we?

Bernie Hirsch

Bernie Hirsch

unread,
May 2, 2018, 7:58:06 AM5/2/18
to vvsg-cybe...@list.nist.gov, Nelson Rosario, Duncan Buell, Lou, Greenhalgh Susan
Thank you.

Schneider, Marc I

unread,
May 2, 2018, 10:31:05 AM5/2/18
to Bernie Hirsch, Kevin Skoglund, vvsg-cybersecurity
In general, there are three types of bar codes being discussed, linear (1D), stacked (multiple 1D), and true 2D. Examples of these include UPC (linear 1d), PDF417 (stacked 1D), and QR (2D).

There are many factors involved in scanning bar codes, including as you mentioned illumination of the bar code. Raster based laser scanning systems are frequently used for 1D and stacked 1D bar codes, although other types of capture are used, especially when the device being used isn't a dedicated bar code reader, such as a app on a mobile device.

MICROSCAN has several whitepapers which to a very good job of discussing the advantages and disadvantages of various bar code technologies (http://www.microscan.com/en-us/resources/white-papers?page=3). Their whitepaper on common causes of unreadable barcodes (http://info.microscan.com/unreadable-barcodes) discusses the issues with scanning bar codes with poor contrast and glossy surfaces.

Many of the concerns around OCR scanning on thermal paper also exist when reading bar codes. I do agree that bar code offer a more compact representation of the data. However, human readable text typically has low information entropy (~2.6 bit/character), and names have similar entropy values (~2.1 bits/character). Since we're not really interested in the individual characters, but rather the name or words of a ballot choice, we can see that this information is highly redundant (~100%). PDF417 at EC level 5 (recommended for longer barcodes) has at most 10% redundancy. This is important, since it means that a well-tuned OCR solution can outperform a bar code solution under difficult conditions (more errors).

The advantage of human readable representations is that it is independent of all software during an audit, as well as being voter verifiable without software.

Thanks,
Marc Schneider
Office: 703-983-0487
Cell: 703-667-0586

-----Original Message-----
From: Bernie Hirsch [mailto:bhi...@microvote.com]
Sent: Tuesday, May 01, 2018 4:32 PM
To: 'Kevin Skoglund' <ke...@kevinskoglund.com>; 'vvsg-cybersecurity' <vvsg-cybe...@list.nist.gov>
Subject: RE: [vvsg-cybersecurity] Barcodes on ballots



Susan Greenhalgh

unread,
May 2, 2018, 10:52:45 AM5/2/18
to Schneider, Marc I, Bernie Hirsch, Kevin Skoglund, vvsg-cybersecurity
Thanks, I'd like to reiterate that there remains a thorny legal question if a paper ballot contains two different representations of voter intent - one that the voter can confirm, and a different representation that is counted by the equipment. Which is the official ballot of record?

If it's the human readable,that means the official ballot of record is not what is counted. If it's the barcode, that means the voter is unable to verify the official ballot.


To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


Schneider, Marc I

unread,
May 2, 2018, 11:07:16 AM5/2/18
to Susan Greenhalgh, Bernie Hirsch, Kevin Skoglund, vvsg-cybersecurity

Susan,

 

Thanks, I agree that having two different representations of ballot choices on a paper ballot or a paper audit trail is an issue that should be avoided. I think that non-human readable information makes it difficult, at best, for a voter to verify the information. Determining if the election outcome is correct as per guideline 9.2 - “The voting system produces readily available records that provide the ability to check whether the election outcome is correct and, to the extent possible, identify the root cause of any irregularities” is difficult if voters cannot verify that the information used in the tally represents what they intend.

 

Thanks,

Marc Schneider

Office: 703-983-0487

Cell: 703-667-0586

 

From: Susan Greenhalgh [mailto:segree...@gmail.com]
Sent: Wednesday, May 02, 2018 10:53 AM
To: Schneider, Marc I <mschn...@mitre.org>
Cc: Bernie Hirsch <bhi...@microvote.com>; Kevin Skoglund <ke...@kevinskoglund.com>; vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

 

Thanks, I'd like to reiterate that there remains a thorny legal question if a paper ballot contains two different representations of voter intent - one that the voter can confirm, and a different representation that is counted by the equipment. Which is the official ballot of record?

To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

Judson Neer

unread,
May 2, 2018, 12:04:59 PM5/2/18
to vvsg-cybersecurity
For those who know the law better than I, are there provisions for having two representations, the primary being "plain text" (and hence easily voter verifiable), and a backup encoded in a barcode (using a publicly documented encoding / representation such as the cast vote record being discussed by NIST, so at least theoretically verifiable by anyone).

The use case I'm thinking of here is for ballots that are printed by a voter (e.g. UOCAVA and/or accessibility solutions that allow delivery and completion of a ballot via the web, and then mail the result). Given the variations in print quality and the potential for mangling by the post office, it seems useful to have multiple representations, if the law can accommodate it.

Judson Neer

Director of Engineering


Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com


      


The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.


To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

Lulu Friesdat

unread,
May 2, 2018, 12:32:02 PM5/2/18
to vvsg-cybersecurity
I agree with Susan and Marc that there is no meaningful way for the average voter to confirm that a barcode has accurately represented their vote. The use of barcodes is inherently opaque, and by it's very nature violates the principle of transparency.

Furthermore, the use of barcodes has serious security risks. Harri Hursti said in testimony to the presidential commission on election integrity that barcodes can basically be used as a keyboard and they can be used to inject code into the process.
"When you read barcode, the problem is that barcode readers are usually a keyboard. So anything you can do with a keyboard you can do with a barcode. Barcode readers also
have a bad habit of reading more standards than the standard you are using, and some of these barcodes can have a thousand, two thousand characters, and they can emulate the keyboard very effectively, so
they can make those keyboard signs which are not-printable. Again, when you're reading a barcode, you can get an injection code into the system with that, and this is one thing which we found in the voting
machine hacking village is how you can inject in some of these machines a SQL inject from the barcode. So these capabilities are very dangerous and we have to be very careful with the technology;"

Meanwhile the ES&S Express Vote that uses barcodes is being adopted rapidly. I was told it is already in use in 3 counties in TX. Jenny Cohn had a twitter thread yesterday listing the counties that have bought the machine including counties in Kentucky, West Virginia, Tennessee, Missouri, Indiana, Arkansas, and Wisconsin.

https://twitter.com/jennycohn1/status/991406567097483264

I don't know if there are ES&S vendors in the group. I am not trying to single any company out - but the use of barcodes was so troubling to election security activists in Georgia recently - that legislation to revamp their voter system was stopped because it was being written to allow the adoption of barcodes.


To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.



--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 12:39:45 PM5/2/18
to Judson Neer, vvsg-cybersecurity

This kind of thing would be decided at a state level. In Wisconsin, the voter-verifiable paper audit trail always wins. We see this in DREs where essentially two records are created at once: the digital nonverifiable record and the printed verifiable record. I assume the barcode would not be considered voter-verifiable. In the worst case, I would expect an election inspector that was trying to determine voter intent would side with the human-readable record unless it was badly marred.

 

Clarifying legislation is always welcome, but I wouldn’t expect that to cause a problem for us. In fact I believe we saw a pilot of voting equipment that did something similar where the accessible equipment generated a human-readable printout that also contained a QR code for the tabulator.

 

From: Judson Neer [mailto:judso...@everyonecounts.com]
Sent: Wednesday, May 02, 2018 11:04 AM
To: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Importance: Low

 

For those who know the law better than I, are there provisions for having two representations, the primary being "plain text" (and hence easily voter verifiable), and a backup encoded in a barcode (using a publicly documented encoding / representation such as the cast vote record being discussed by NIST, so at least theoretically verifiable by anyone).

 

The use case I'm thinking of here is for ballots that are printed by a voter (e.g. UOCAVA and/or accessibility solutions that allow delivery and completion of a ballot via the web, and then mail the result). Given the variations in print quality and the potential for mangling by the post office, it seems useful to have multiple representations, if the law can accommodate it.

Judson Neer

Director of Engineering

 

Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com


Image removed by sender.  Image removed by sender.   Image removed by sender.

To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

Judson Neer

unread,
May 2, 2018, 12:55:19 PM5/2/18
to Lulu Friesdat, vvsg-cybersecurity
While I agree a barcode is less transparent than human-readable text on a printed page, it does not seem to follow that the use of a barcode is "inherently opaque". As I've said earlier, the use of a standard barcode encoding, and a standard representation of the data inside the barcode, is quite transparent, at least it would be to election officials trained in how to interpret it.

Of course to do so would require a scanner. And while I appreciate some of the dangers pointed out in the linked paper, they're a bit of a straw man. Not every barcode scanner functions as a keyboard; older-style RS-232 barcode scanners and optical barcode readers (e.g. apps on a smartphone) are just two examples. And even in the case of barcode scanners that present themselves as keyboards, it is not difficult to implement proper software controls to mitigate the named vulnerabilities.

Of course this brings us back to trusting the software, which we all agree should not be done, at least when the software operates in isolation from other checks and balances. In this case, a barcode scanner/reader built by a different vendor than the software used to create the barcode, and the software used to tabulate the resultant information, would be appropriate. Taken together with the barcode potentially only being a backup representation in the first place, and that seems a reasonable set of controls.

Like prior discussions around other technologies, it seems to me the wise path here is to build in requirements for barcode best practices, rather than outright forbid them, and risk jurisdictions ignoring the ban altogether and leaving them with no guidance on how to implement them well.


Judson Neer

Director of Engineering


Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com


      


The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.


On Wed, May 2, 2018 at 9:32 AM, Lulu Friesdat <shuga...@gmail.com> wrote:
I agree with Susan and Marc that there is no meaningful way for the average voter to confirm that a barcode has accurately represented their vote. The use of barcodes is inherently opaque, and by it's very nature violates the principle of transparency.

Furthermore, the use of barcodes has serious security risks. Harri Hursti said in testimony to the presidential commission on election integrity that barcodes can basically be used as a keyboard and they can be used to inject code into the process.
"When you read barcode, the problem is that barcode readers are usually a keyboard. So anything you can do with a keyboard you can do with a barcode. Barcode readers also
have a bad habit of reading more standards than the standard you are using, and some of these barcodes can have a thousand, two thousand characters, and they can emulate the keyboard very effectively, so
they can make those keyboard signs which are not-printable. Again, when you're reading a barcode, you can get an injection code into the system with that, and this is one thing which we found in the voting
machine hacking village is how you can inject in some of these machines a SQL inject from the barcode. So these capabilities are very dangerous and we have to be very careful with the technology;"

Meanwhile the ES&S Express Vote that uses barcodes is being adopted rapidly. I was told it is already in use in 3 counties in TX. Jenny Cohn had a twitter thread yesterday listing the counties that have bought the machine including counties in Kentucky, West Virginia, Tennessee, Missouri, Indiana, Arkansas, and Wisconsin.

https://twitter.com/jennycohn1/status/991406567097483264

I don't know if there are ES&S vendors in the group. I am not trying to single any company out - but the use of barcodes was so troubling to election security activists in Georgia recently - that legislation to revamp their voter system was stopped because it was being written to allow the adoption of barcodes.

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


Lulu Friesdat

unread,
May 2, 2018, 1:12:31 PM5/2/18
to Judson Neer, vvsg-cybersecurity
I respectfully disagree with the statement that "a standard representation of the data inside the barcode, is quite transparent."
It's not transparent to me as a voter, if I don't have a barcode scanner with me. And even if I do  - since there is the possibility that the barcode is injecting code that is malicious and possibly not meant to be read - it is possible that what I would be reading would not be all of the data. Possibly it would not be clear to any scanner  - even one built by a different vendor.

Why is it wise to advise people on how to carefully use things that are not ultimately safe?

Judson Neer

unread,
May 2, 2018, 1:28:24 PM5/2/18
to Lulu Friesdat, vvsg-cybersecurity
I'm perfectly happy to "agree to disagree" with what constitutes transparency in this case, and also the degree to which the . Your points are reasonable, just (for me) not totally convincing. I'm glad for that tension, because it helps us all work towards the best requirements we can get.

I do want to address your last statement. I think there are two reasons to give advice on "not ultimately safe" things:

1. The argument that's been made before and more eloquently than me, that it might be wise to enumerate best practices and mitigation strategies rather than pretend the technology doesn't exist or that jurisdictions won't want to use it just because a voluntary requirements document bans it.

2. In the context of elections, ultimately everything is "unsafe" to one degree or other. DREs, VVPATs, barcodes, computers, paper ballots, the post office, election officials, etc. etc. etc. Admittedly not equally so, but that's the tough work of this process, to determine what technologies and processes are "safe enough" (especially when used in conjunction with other redundant technologies, audits, etc), and develop requirements on how to mitigate the risks that are involved. It's a balancing act to be sure, but the VVSG must advise people on how to carefully use things that are not ultimately safe, because that is literally its purpose.


Judson Neer

Director of Engineering


Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com


      


The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.


On Wed, May 2, 2018 at 10:12 AM, Lulu Friesdat <shuga...@gmail.com> wrote:
I respectfully disagree with the statement that "a standard representation of the data inside the barcode, is quite transparent."
It's not transparent to me as a voter, if I don't have a barcode scanner with me. And even if I do  - since there is the possibility that the barcode is injecting code that is malicious and possibly not meant to be read - it is possible that what I would be reading would not be all of the data. Possibly it would not be clear to any scanner  - even one built by a different vendor.

Why is it wise to advise people on how to carefully use things that are not ultimately safe?

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 1:52:32 PM5/2/18
to Judson Neer, Lulu Friesdat, vvsg-cybersecurity

I think your points are very well made, Judson.

 

I believe that in the subject of barcodes it is important to distinguish two separate types of transparency: Transparency to auditors and transparency to voters. I think barcodes can easily fulfill the former by following open or at least published standards for both barcode encoding and data marshalling. However I don’t think the latter can be achieved. It must always be remembered that elections are open to all voters, including the sizeable percentage of the adult population who do not have access to the internet or regularly use a computer, and that there are plenty of issues with voters bringing their smartphones out in the voting booth. As such, I see no reason why they can’t be used by the machine for performance or usability reasons, but it should be clear that they are not voter-verified data and not the official record of a person’s vote.

 

I do agree that it is incorrect to take Hursti’s comments regarding barcode injection to mean that barcodes are a dangerous technology. It simply means that your application is as vulnerable as if someone was sitting at the keyboard, and all the same input sanitization  and other considerations apply.

 

 

From: Judson Neer [mailto:judso...@everyonecounts.com]

Sent: Wednesday, May 02, 2018 12:28 PM
To: Lulu Friesdat <shuga...@gmail.com>
Cc: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots
Importance: Low

 

I'm perfectly happy to "agree to disagree" with what constitutes transparency in this case, and also the degree to which the . Your points are reasonable, just (for me) not totally convincing. I'm glad for that tension, because it helps us all work towards the best requirements we can get.

 

I do want to address your last statement. I think there are two reasons to give advice on "not ultimately safe" things:

 

1. The argument that's been made before and more eloquently than me, that it might be wise to enumerate best practices and mitigation strategies rather than pretend the technology doesn't exist or that jurisdictions won't want to use it just because a voluntary requirements document bans it.

 

2. In the context of elections, ultimately everything is "unsafe" to one degree or other. DREs, VVPATs, barcodes, computers, paper ballots, the post office, election officials, etc. etc. etc. Admittedly not equally so, but that's the tough work of this process, to determine what technologies and processes are "safe enough" (especially when used in conjunction with other redundant technologies, audits, etc), and develop requirements on how to mitigate the risks that are involved. It's a balancing act to be sure, but the VVSG must advise people on how to carefully use things that are not ultimately safe, because that is literally its purpose.

Judson Neer

Director of Engineering

 

Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com

Image removed by sender.

  Image removed by sender.   Image removed by sender.


The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.

On Wed, May 2, 2018 at 10:12 AM, Lulu Friesdat <shuga...@gmail.com> wrote:

I respectfully disagree with the statement that "a standard representation of the data inside the barcode, is quite transparent."

It's not transparent to me as a voter, if I don't have a barcode scanner with me. And even if I do  - since there is the possibility that the barcode is injecting code that is malicious and possibly not meant to be read - it is possible that what I would be reading would not be all of the data. Possibly it would not be clear to any scanner  - even one built by a different vendor.

Why is it wise to advise people on how to carefully use things that are not ultimately safe?

On Wed, May 2, 2018 at 12:54 PM, Judson Neer <judso...@everyonecounts.com> wrote:

While I agree a barcode is less transparent than human-readable text on a printed page, it does not seem to follow that the use of a barcode is "inherently opaque". As I've said earlier, the use of a standard barcode encoding, and a standard representation of the data inside the barcode, is quite transparent, at least it would be to election officials trained in how to interpret it.

 

Of course to do so would require a scanner. And while I appreciate some of the dangers pointed out in the linked paper, they're a bit of a straw man. Not every barcode scanner functions as a keyboard; older-style RS-232 barcode scanners and optical barcode readers (e.g. apps on a smartphone) are just two examples. And even in the case of barcode scanners that present themselves as keyboards, it is not difficult to implement proper software controls to mitigate the named vulnerabilities.

 

Of course this brings us back to trusting the software, which we all agree should not be done, at least when the software operates in isolation from other checks and balances. In this case, a barcode scanner/reader built by a different vendor than the software used to create the barcode, and the software used to tabulate the resultant information, would be appropriate. Taken together with the barcode potentially only being a backup representation in the first place, and that seems a reasonable set of controls.

 

Like prior discussions around other technologies, it seems to me the wise path here is to build in requirements for barcode best practices, rather than outright forbid them, and risk jurisdictions ignoring the ban altogether and leaving them with no guidance on how to implement them well.

Judson Neer

Director of Engineering

 

Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com

Image removed by sender.

  Image removed by sender.   Image removed by sender.


The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.

On Wed, May 2, 2018 at 9:32 AM, Lulu Friesdat <shuga...@gmail.com> wrote:

I agree with Susan and Marc that there is no meaningful way for the average voter to confirm that a barcode has accurately represented their vote. The use of barcodes is inherently opaque, and by it's very nature violates the principle of transparency.

Furthermore, the use of barcodes has serious security risks. Harri Hursti said in testimony to the presidential commission on election integrity that barcodes can basically be used as a keyboard and they can be used to inject code into the process.

"When you read barcode, the problem is that barcode readers are usually a keyboard. So anything you can do with a keyboard you can do with a barcode. Barcode readers also
have a bad habit of reading more standards than the standard you are using, and some of these barcodes can have a thousand, two thousand characters, and they can emulate the keyboard very effectively, so
they can make those keyboard signs which are not-printable. Again, when you're reading a barcode, you can get an injection code into the system with that, and this is one thing which we found in the voting
machine hacking village is how you can inject in some of these machines a SQL inject from the barcode. So these capabilities are very dangerous and we have to be very careful with the technology;"

Meanwhile the ES&S Express Vote that uses barcodes is being adopted rapidly. I was told it is already in use in 3 counties in TX. Jenny Cohn had a twitter thread yesterday listing the counties that have bought the machine including counties in Kentucky, West Virginia, Tennessee, Missouri, Indiana, Arkansas, and Wisconsin.

https://twitter.com/jennycohn1/status/991406567097483264

I don't know if there are ES&S vendors in the group. I am not trying to single any company out - but the use of barcodes was so troubling to election security activists in Georgia recently - that legislation to revamp their voter system was stopped because it was being written to allow the adoption of barcodes.

 

On Wed, May 2, 2018 at 12:04 PM, Judson Neer <judso...@everyonecounts.com> wrote:

For those who know the law better than I, are there provisions for having two representations, the primary being "plain text" (and hence easily voter verifiable), and a backup encoded in a barcode (using a publicly documented encoding / representation such as the cast vote record being discussed by NIST, so at least theoretically verifiable by anyone).

 

The use case I'm thinking of here is for ballots that are printed by a voter (e.g. UOCAVA and/or accessibility solutions that allow delivery and completion of a ballot via the web, and then mail the result). Given the variations in print quality and the potential for mangling by the post office, it seems useful to have multiple representations, if the law can accommodate it.

Judson Neer

Director of Engineering

 

Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com

Image removed by sender.

  Image removed by sender.   Image removed by sender.


To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.




--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 




--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


 

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

Schneider, Marc I

unread,
May 2, 2018, 2:05:24 PM5/2/18
to Judson Neer, Lulu Friesdat, vvsg-cybersecurity

Looking at the Principles and Guidelines, it seems to me that requirements around bar code scanner security would fall under principle 14 – system integrity and principle 15 – detection and monitoring.

 

If there are concerns about bar codes as an attack vector for malware, guideline 15.3 - The voting system employs mechanisms to protect against malware. I believe that a SQL injection attacks can be considered malware in this case, since the injected SQL statements are potentially code. Any use of bar codes, whether or not they contain ballot selections, needs to have security requirements in place. An argument can also be made for a requirement around injection attacks under guideline 14.2 - The voting system limits its attack surface by reducing unnecessary code, data paths, physical ports, and by using other technical controls.

 

What other security threat arise from bar codes, or bar code scanners?

 

Thanks,

Marc Schneider

Office: 703-983-0487

Cell: 703-667-0586

 

From: Judson Neer [mailto:judso...@everyonecounts.com]
Sent: Wednesday, May 02, 2018 1:28 PM
To: Lulu Friesdat <shuga...@gmail.com>

Cc: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

 

I'm perfectly happy to "agree to disagree" with what constitutes transparency in this case, and also the degree to which the . Your points are reasonable, just (for me) not totally convincing. I'm glad for that tension, because it helps us all work towards the best requirements we can get.

To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.




--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

 




--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


 

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

Judson Neer

unread,
May 2, 2018, 2:16:58 PM5/2/18
to vvsg-cybersecurity
Most obviously, any of the risks associated with a hardware device apply, since the use of a barcode implies the requirement for a scanner.

Judson Neer

Director of Engineering


Everyone Counts, Inc.

Phone: 937.902.7765

Email: judso...@everyonecounts.com

Website: www.everyonecounts.com


      


The information in this email, including any attachments, is confidential and intended solely for the use of the person or entity to which it is addressed. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is prohibited. Please notify the sender if you have received this message by mistake and delete this email from your system. Thank you.


To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.




--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

 




--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


 

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


Bernie Hirsch

unread,
May 2, 2018, 2:22:30 PM5/2/18
to Schneider, Marc I, Kevin Skoglund, vvsg-cybersecurity
How is OCR (or scanning of paper ballot location marks) independent of software? The optical scanner doesn't actually "read" the words or marks. It has motors, gears, and rollers that are controlled by software, and then it has light sensors that are controlled by software, and then the electrical signals generated by the contrasting areas of light and dark must align timing marks, create target areas, weigh the data, interpreted and matched up to some database of characters using software, which then uses some type of tabulation algorithms in a best guess attempt to match those interpreted marks or characters up to names in an election in order to give us totals. And it does all of this without any type of built-in integrity checking for the data itself, unlike a simple 2D barcode.

Granted human readable representations are independent of software (except the stuff in our brains) and can be verified by the voter. How does including a barcode representation in ADDITION to the human readable content change that? Compared to OCR there's much less back-end processing to do and it's more accurate. Both methods need software to work. With the performance of today's microprocessors the difference between entropy and compression ratios isn't going to make a significant difference in processing with this relatively small amount of data, but less paper handling with a more compact barcode representation will have significant usability and accuracy advantages over OCR or mark scanning. Rather than pull somewhat flimsy narrow thermal paper past a stationary OCR or digital mark scanner (without skewing, jamming, curling, etc.) we can merely hold the paper's industry standard barcode containing an industry standard vote record under a table-mounted or handheld scanner. A voter could potentially do the same thing. Perhaps one of our brilliant developers on this list (I exclude myself due to modesty) will create a free voter app just for that purpose?

The only way a voter can truly KNOW that the human readable printed characters are actually correctly counted (ignoring the fact that a blind person will never be able to see the paper) is some form of end-to-end system for verification, and even in those cases the voter's intent might not ever be 100% correctly interpreted because other humans and their flawed brains and software programs and scanners must come in and do the final tabulating. Any type of automation (OCR, digital scanning, barcodes, DRE's, tabulators, election night reporting, etc.) ultimately relies on software and hardware in one form or another.

Bernie Hirsch

Susan Greenhalgh

unread,
May 2, 2018, 2:23:27 PM5/2/18
to Keith Ingram, Kevin Skoglund, vvsg-cybersecurity
I think we should be able discuss these ideas without insulting other members of this list.

Moreover, these assumptions are inaccurate. Each state's recount laws and procedures differ considerably. In some states there is no way to petition for any recount, let alone a hand recount. There most certainly is a danger that some states will recount from the barcode.
We are all forever learning about elections ;)

Susan Greenhalgh
Policy Director
National Election Defense Coalition
917 796 8782

On Fri, Apr 27, 2018 at 11:57 AM, Keith Ingram <KIn...@sos.texas.gov> wrote:
Strongly disagree with your statement about the "danger" of using bar codes in recounts.  This demonstrates that you know very little about actual elections. 

If a recount petitioner asks for a hand count then they will get a hand count.  This is a public proceeding with poll watchers present.  If a petitioner asks for a machine recount, then the bar codes will be scanned again.  There is no "danger" involved at all.



-----Original Message-----
From: Kevin Skoglund [mailto:kevin@kevinskoglund.com]
Sent: Friday, April 27, 2018 9:53 AM
To: vvsg-cybersecurity <vvsg-cybe...@list.nist.gov>
Subject: [vvsg-cybersecurity] Barcodes on ballots

> 6. Ballot barcodes / encoding - I don’t feel like the WG has ever had a discussion on this topic, and it may make sense to include requirements on this subject.

The VVSG 1.0 required barcodes to be in an industry-standard format readable by standard commercial technology (7.9.3.h), but that requirement seems to have been dropped in VVSG 1.1.

I would argue that using barcodes to transfer vote selections from a BMD to a tabulator is not allowed under the VVSG 2.0 Principles.

* Barcodes are not transparent (Principle 3). They are an opaque, secret message being passed between the BMD and the tabulator. They are not a process or transaction which is "readily available for inspection," (3.2) and the public cannot "understand and verify the operations" (3.3).

* Most current barcodes are in a proprietary format. That means they are not exporting data (from the BMD) and importing data (to the tabulator) "in an interoperable format" (4.1) or in a "standard, publicly-available" format (4.2).

* Voters cannot read barcodes so they cannot "understand all information as it is presented" (7.3).

* Barcodes do not "provide individual voters the opportunity to verify that the voting system correctly interpreted their ballot selections" (9.1-B.1), and the voter does not "have the opportunity to identify ballot errors before it is cast" (9.1-F.4). Voters can verify the human-readable version, but that is not the data being cast. Any malfunction or manipulation in the barcode data would not be detectable by the voter. It most likely would not be detectable without using proprietary hardware.

* There is a danger that barcodes would be used during recounts and audits. It is easier, faster, and cheaper to scan ballots again than to do a hand count or a proper audit. (Recently, a vendor demonstrated to me how to use a central-count tabulator to recount precinct-count ballots with barcodes.) Even in a ballot-compare audit, the voting system could be used to read the barcode, and systems with proprietary or encrypted barcodes would require it. The voting system should be software independent and audits should never trust any part of the device being audited (9.1-A).

* Barcodes could contain data besides ballot selections. They should be tested to ensure they do not "contain data or metadata associated with the CVR and ballot image files which can be used to determine the order in which votes are cast" (10.2-D).

* Similar to my previous argument about different-sized ballots, barcoded ballots look different from ballots marked by hand. The barcode is an "election artifact that can be used to associate the voter’s identity with the voter’s intent, choices, or selections" (10.2).

* Barcodes add to the attack surface of a system by adding additional code and data paths, instead of limiting them (14.2). They create new opportunities for hacking the output of the barcode via the BMD or the scanning of the barcode via the tabulator. It seems likely that third-party libraries are imported into the code for both. In a worst case scenario, some barcodes (e.g., PDF417) can encode over 1.1 kilobytes of data which is enough for a small malware program or other instructions to the tabulator.


We should also ask: why do we need barcodes at all? They solve a problem that does not exist in voting systems. A ballot marking device can easily print marks to fill in circles on a paper ballot. (They could be even randomly pick from a library of mark styles or be "fuzzed" to make them appear hand-marked.) Every system vendor with a digital scanner can accurately read less-precise marks on hand-marked ballots. Reading a machine-marked ballot is easy by comparison. I believe some vendors have systems which currently do this.

Barcodes could still be used for ballots style and precinct configuration (in a readable, interoperable format). However, I think the principle-first design of VVSG 2.0 indicates that barcodes should not be used for ballot selections anymore.

Best,
Kevin Skoglund


--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


Arthur Keller

unread,
May 2, 2018, 2:32:59 PM5/2/18
to Bernie Hirsch, Schneider, Marc I, Kevin Skoglund, vvsg-cybersecurity
It reminds me of an old saying:

A person with one clock knows what time it is. A person with two clocks is never sure.

Best regards,
Arthur

Nelson Rosario

unread,
May 2, 2018, 2:33:05 PM5/2/18
to Bernie Hirsch, Schneider, Marc I, Kevin Skoglund, vvsg-cybersecurity
OCR systems scan human readable representations of voter intent, ie the bubbles they marked, that can be audited in physical form.

Intellectual Property Attorney
Chicago, IL, USA


--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


Lulu Friesdat

unread,
May 2, 2018, 2:34:36 PM5/2/18
to vvsg-cybersecurity
With a ballot that the voter marks themselves - they may not be able to know with absolute confidence how it is counted, but they can feel confident that if the ballot is clearly marked, another human looking at it, will know who they actually voted for.
That cannot be said of ballots where the computer prints a barcode - and the barcode is what is counted. And if there are barcodes - that is what is going to be counted - because it will be fast and easy.

Barcodes do not seem to meet these principles:

3.3  3.3 - The public can understand and verify the operations of the voting system throughout the entirety of the election.
-      7.3 - Voters can understand all information as it is presented, including instructions, messages from the system, and error messages.
       9.1 - An error or fault in the voting system software or hardware cannot cause an undetectable change in election results.
       9.3 - Voting system records are resilient in the presence of intentional forms of tampering and accidental errors.
                (If for example, malicious code was injected into the system, so that the barcode and the printed text reflected a choice for 2 different candidates -
                 at that point, the ballot is separated from the voter - and there is no way to know which candidate the voter actually chose.)
              Or, in Texas, I was told, they are using the barcodes ballots with a unique ID number that the voter can write down, so that the person can identify their ballot if there is any
              question - however this is violating the privacy provisions of Principle 10.
Ot

To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.




--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

 




--

Kind Regards,

Lulu

 

@LuluFriesdat

 

Emmy award-winning journalist & documentary filmmaker, reporting on election reform. Assignments with CBS Evening News, Good Morning America, NBC documentaries.


 

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

jennif...@gmail.com

unread,
May 2, 2018, 3:11:34 PM5/2/18
to vvsg-cybersecurity
Kevin: Thank you for bringing attention to this important issue. Why include a barcode at all? The only reason I can think of is to prevent voters from verifying that their vote was recorded accurately.

Bernie Hirsch

unread,
May 2, 2018, 3:14:34 PM5/2/18
to jennif...@gmail.com, vvsg-cybersecurity
There are a number of other reasons. To avoid repetition here, please see the entirety of our discussion from the past several days. Thank you.

-----Original Message-----
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 15:12
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

Schneider, Marc I

unread,
May 2, 2018, 3:17:37 PM5/2/18
to Bernie Hirsch, Kevin Skoglund, vvsg-cybersecurity
Bernie,

I didn't mean to imply that OCR is independent of software. I mean that human readable text is independent of software, when read by a human.

I also agree that it is impossible to have a 100% voter verified record, due to a variety of factors. However, I think modern technology does allow us to get very close to 100% voter verified records.

The concerns I have regarding bar code representations of voter ballot selections in addition to human readable representations, is that there is no way for the requirements to ensure that the human readable representation takes precedence. However, if the only representation is a human readable representation, then this isn't an issue. An audit can only as good as the data available for audit, if the data is questionable, for example if the human readable and machine readable representations differ, the effectiveness of audits are reduced. Guideline 9.3 - Voting system records are resilient in the presence of intentional forms of tampering and accidental errors, explicitly states that we need to concern the resilience of voting system records. The less that can go wrong, the more resilient the system.

I brought up the subject of entropy, because it is directly related to the amount of data that can be used to correct for errors. I referred to this "extra" data as redundant information. In the type of OCR system I'm talking about, the occurrence of characters is not evenly distributed, and the system can miss interpret individual characters, yet still accurately determine the ballot choice. For example, in the often cited 2008 MN Senate race, there were five candidates, plus a write in. Ignoring write ins, as they have to be handled specially in any case, that means that 3 bits are needed to represent the choice. Looking only at the last names, there were three candidates with 7 letter names, and one with an 8 letter name. If you use 5 bits to represent a letter, then either 35 or 40 bits are used to represent 3 bits of information. You can have a large number of those bits incorrect and still be able to determine with a high degree of accuracy the selected candidate. In fact, any three letter sequence is sufficient to uniquely identify the selected candidate. While this isn't a rigorous argument, my point is that OCR for voting is highly tolerant of misidentification of individual characters.

Any imaging system can be used for OCR, you don't need to use a traditional scanner. I've used a mobile phone based expense reporting system, that allowed me to photograph my receipts and it would automatically enter it into my expense report. Likewise, many mobile banking applications let you photograph checks, and convert the text into information that can be used for a deposit. These systems are no harder to use than a bar code scanner.

The main advantage I see in bar codes is that they allow for higher density information storage on paper. While this is a valid concern for many reasons, from a security point of view, they introduce auditability concerns, and potentially system integrity issues.

As a security engineer, I'm focused on the security concerns, and how to mitigate these concerns. Others have pointed out non-security related concerns, which I will leave then to debate and address.

jennif...@gmail.com

unread,
May 2, 2018, 3:51:50 PM5/2/18
to vvsg-cybersecurity
Bernie: As Kevin asked, why include a barcode at all? The only reason I can think of is to prevent voters from verifying that their vote has been recorded accurately.

Although voters also can’t verify that the scanner has recorded their votes accurately, why add a second potential attack vector that voters can’t detect?

Also, as we saw in 2016, meanful manual recounts are far from guaranteed. For example, whereas some counties in Wisconsin agreed to a manual recount, most large counties refused.

In Michigan, the manual recount excluded precincts where the number of votes and the number of registered voters differed and where seals were broken.

Most states require manual recounts only if the margin of victory is less than a few percentage points. (And discretionary manual recounts are typically cost prohibitive when allowed at all.) Thus, potential hackers can avoid a manual recount by flipping enough unverifiable barcode votes to exceed the specified margin. If they do that, we are back to the barcodes.

Meanwhile, most states lack meaningful manual audit laws or procedures. And even if they get them some day, the audits won’t mean much without a secure and transparent chain of custody. If states have this much trouble accepting the need for paper ballots, getting them to implement a secure & transparent chain of custody will be a major hurdle.

Thus, with barcode balloting, the unverifiable barcodes may well be the only thing ever counted. And hackers would likely know that.

Message has been deleted

jennif...@gmail.com

unread,
May 2, 2018, 4:10:47 PM5/2/18
to vvsg-cybersecurity
In the context of elections, as I understand it, transparency typically is measured primarily from the perspective of voters, not election officials and other insiders. Barcodes are opaque from the standard of voters bc they can’t read them.

Carl Hage

unread,
May 2, 2018, 4:11:03 PM5/2/18
to vvsg-cybe...@list.nist.gov
On 05/02/2018 09:04 AM, Judson Neer wrote:
> For those who know the law better than I, are there provisions for having
> two representations, the primary being "plain text" (and hence easily voter
> verifiable), and a backup encoded in a barcode

This is what I would advocate, and the reason for a barcode. What voters
verify should be what is scanned. (If you can't scan a thermal roll, get
a better scanner-- if you ask me, scan and verification of the plain
text should be required.)

The bar code is a cross-check (or hint) for the plain text scan. If the
bar code has a digital signature, then that is tamper-resistance on the
paper record.

I think the main purpose of a bar code is a digital signature-- it
proves those results were printed on a particular machine that holds the
secret key.

Bernie Hirsch

unread,
May 2, 2018, 4:49:41 PM5/2/18
to jennif...@gmail.com, vvsg-cybersecurity
Jennifer,

As has been pointed out BEFORE, no form of voting is 100% verifiable by the voter. We toss that term around like it's an absolute. It's not. Paper ballots ultimately get read into a cOmPuTeR in most places, which many in this cyber group seem to innately mistrust. What we think of as a final election result is many steps removed from the voter picking up their pencil or pushing a button. It usually involves all kinds of electronic devices, even in a "manual" recount. It's a conundrum.

If states once again want to trust chains of custody, hand counts, human interpretation, etc., as was done in the past and don't care much about voters with visual or other disabilities or the fact that we now have hundreds of millions of citizens and are satisfied getting the results days or weeks after Election Day with a Supreme Court ultimately getting involved then they will certainly promote paper ballots being counted by hand using paper ledgers or abacuses with no cOmPuTeR in sight. Otherwise make no mistake, we're cOmPuTeR dependent.

So why include a barcode at all? Because barcodes store data visually in a way that can easily, compactly and accurately be scanned by a cOmPuTeR. Their addition does not in any way alter the human readable information on the same physical ballot that may also be scanned by a cOmPuTeR or manually read by a human. The barcode creates an alternative and additional method of storing data on the media and more easily and accurately retrieving that data. That's it in a nutshell.

It has been said that we can't know the time with two clocks. Catchy phrase but it misleads. Our voting system currently uses multiple independent verification systems that if out-of-sync from each other require further investigation and audit. We want those kinds of checks and balances. Why do we encourage two-part authentication in security settings? Because after authenticating twice we radically increase the odds that the identity is correct. The same goes for voting. If the barcode doesn't agree with the other content on the ballot something is really wrong and people will start investigating. We want that. We can also perform checks with barcodes using independently developed systems to assure ourselves that everything is in sync in cases where hand counting is simply not practical (the majority of cases). It's a simple, well-vetted, publicly available interoperable technology. If we devise a standard vote record format for the already standard barcode symbology now we can really leverage technology that most Americans carry with them every day (including those with visual impairments).

I don't buy the argument that we should ignore useful, well-vetted technologies because they offer a vector for attack. According to that argument we should never allow human beings to hand-count ballots because of social engineering and other insider attack vectors. What if a D and R person in the same central count location BOTH disliked a local candidate for personal reasons? Is it beyond imagining that they could influence the outcome of close elections without discovery?

Yes, manual recounts are far from guaranteed - for a reason. They are error-prone, cumbersome, time-consuming, expensive, can certainly be hacked if very careful procedures aren't followed to the letter (when does that ever happen), and rarely if ever overturn the original automated results. Creating standards that leave no other choice virtually guarantees that those standards (unaltered) will never see the light of day.

Perhaps this is a good juncture to remind this group that the VVSG 1.1 standards were never successfully implemented by any voting system manufacturer. There was only one that attempted it and abandoned the effort. We are a small community and have learned through much experience what works and what doesn't - what passes and what fails - what seemed like a good idea and what fell by the wayside. One of the county co-workers in yesterday's primary reminded me of a profound truth, "it often makes little sense to introduce changes to how our elections are run because by the time they're implemented the environment has changed."

I'm all for change, especially in a dangerous world with bad people trying to do harm. Let's focus our resources in areas with the most to gain and least to lose. Hypothetical situations and doomsday scenarios may seem exciting and important, but we already have many safeguards in place that have been developed over many years that work. We can certainly improve and most of us are quite competitively trying to do that every day. Let's do our best to keep stuff that works and listen to the folks that do this stuff day in and day out where the rubber meets the road. Help us help you.

Bernie Hirsch
MicroVote General Corp

-----Original Message-----
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 15:52
To: vvsg-cybersecurity
Subject: RE: [vvsg-cybersecurity] Barcodes on ballots

jennif...@gmail.com

unread,
May 2, 2018, 4:51:41 PM5/2/18
to vvsg-cybersecurity, jennif...@gmail.com, bhi...@microvote.com
Bernie:

I looked through the thread and it seems this is where you summarized the reasons why you believe barcodes are a good idea. I'd like to go through them briefly.

1. "Barcodes provide a thoroughly vetted and tested range of publicly accepted and understood technologies that are a valuable tool in voting system design and implementation." I respectfully disagree in that barcodes in ballots have not been thoroughly vetted or tested according to Harri Hursti. (Please let me know if believe Mr. Hursti is incorrect, i.e., if you are aware of a formal study on this issue.) And since barcodes in ballots are a relatively new concept, I think it's a bit of a stretch to say they are "publicly accepted." On the contrary, most people I've told feel the barcodes would be an invitation to fraud. Meanwhile, most voters who have used ballot marking devices already have no way of knowing that it is the barcodes (which they can't read), rather than the text (which they can), that is actually counted as their vote. Without this knowledge, their opinion on the issue is necessarily uninformed.

2. "They avoid many of the pitfalls of single optical mark interpretation and offer integrity safeguards that are absent in other forms of 'raw' visually stored data." I disagree that there is a serious problem with optical mark interpretation. In Minnesota's statewide recount, out of 2.92 million ballots cast, just 14 could not be decided unanimously by the bipartisan state canvassing board. https://www.sos.state.mn.us/media/3078/minnesotas-historic-2008-election.pdf

3. "Our voting systems will be more secure if we make it easier, not harder, to more accurately count or recount ballots." Again, I respectfully disagree to the extent you imply that barcodes will make it easier to more accurately count or recount ballots. If the votes are manipulated, the results will not be accurate at all, and it will be harder, not easier, to discover this because voters can't read and thus can't verify the bar codes.




On Wednesday, May 2, 2018 at 12:14:34 PM UTC-7, Bernie Hirsch wrote:
There are a number of other reasons.  To avoid repetition here, please see the entirety of our discussion from the past several days.  Thank you.

-----Original Message-----
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 15:12
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

Kevin: Thank you for bringing attention to this important issue. Why include a barcode at all? The only reason I can think of is to prevent voters from verifying that their vote was recorded accurately.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

Duncan Buell

unread,
May 2, 2018, 5:01:24 PM5/2/18
to vvsg-cybersecurity, Bernie Hirsch, jennif...@gmail.com
I have about a dozen emails in this thread that I have not read because I am jammed up right now until a 1230pm tomorrow event.

But Jennifer could not have said it better.

Barcodes are not transparent or voter-verifiable unless voters are provide at the polls with all the technology necessary to verify. And we know that is not going to happen, for the most part, is prevented by state law in many places, and is in general an unrealizable fantasy. They are a showstopper, and should be rejected out of hand.

Voter marks are indeed a problem. But they do leave marks to adjudicate. Barcodes do not unless there is embedded into law and practice a believable and serious audit process that statistically verifies that the barcode that is counted correlates 100% with the English that is read by the voter. Unless that is part of the law that permits barcodes, then barcodes should not be permitted, period.

I don’t care how hard it is or how long it takes for election officials to do their job. That’s their job. The goal is to make sure they get it right, not to make sure they get to “Miller time” on Election Day. Sorry, election officials, but that really ought to be the idea. We get the right result, and if it takes some extra effort, well, that’s what has to be done. Democracy is too important to become secondary in importance to efficiency in tabulation.


Duncan Buell
duncan...@gmail.com




To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

Nelson Rosario

unread,
May 2, 2018, 5:06:16 PM5/2/18
to Bernie Hirsch, jennif...@gmail.com, vvsg-cybersecurity
One point relevant to the text below:

  • I don't buy the argument that we should ignore useful, well-vetted technologies because they offer a vector for attack.  According to that argument we should never allow human beings to hand-count ballots because of social engineering and other insider attack vectors.  What if a D and R person in the same central count location BOTH disliked a local candidate for personal reasons?  Is it beyond imagining that they could influence the outcome of close elections without discovery? 

Human beings will always (hopefully) be involved in election administration. Therefore, you can never remove the social engineering attack vector. The same can not be said of any technology that is used in election administration. So, the above argument does not really make sense, because you can't remove the humans from the equation as opposed to any technology used in election administration.

I agree that this group should "do our best to keep stuff that works and listen to the folks that do this stuff day in and day out where the rubber meets the road." The folks we should be listening to include vendors, academics, activists, concerned citizens, but most importantly election administration officials whose sole purpose is to serve voters and ensure the integrity of our elections.

At the end of the day, the whole point of the standards put forward here is to help ensure the integrity of our elections for the benefit of voters.

Intellectual Property Attorney
Chicago, IL, USA

To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


---
This email has been checked for viruses by AVG.
http://www.avg.com

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


Bernie Hirsch

unread,
May 2, 2018, 5:14:43 PM5/2/18
to jennif...@gmail.com, vvsg-cybersecurity

Jennifer,

 

Barcode technology is well-vetted worldwide in many different industries and most certainly publicly accepted.  You are creating a strawman argument in suggesting that a lack of studies in a particular application (voting) invalidates the technology itself.  Your argument then goes on to assume that the voter’s human readable text or marks is being counted ACCURATELY by the voting system dependent software and hardware.  Maybe it is, maybe it’s not.  Using anecdotal evidence from a single election in one state to prove your point doesn’t necessarily mean that all elections everywhere are equally accurate.  I could point out that our touch button DRE’s show ZERO calculation and interpretation errors in both testing and practical use over many years and hundreds of million votes but would you accept that?

 

The short answer to your argument is just because a voter can read their data going into a system doesn’t mean it isn’t being manipulated in an undetected way downstream, either intentionally or unintentionally.  An E2E system might make a lot of sense in solving most of the verification problems related to the storing and processing of data in our voting systems.

 

Bernie

 

From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 16:52
To: vvsg-cybersecurity
Cc: jennif...@gmail.com; bhi...@microvote.com
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

 

Bernie:

I looked through the thread and it seems this is where you summarized the reasons why you believe barcodes are a good idea. I'd like to go through them briefly.

1. "Barcodes provide a thoroughly vetted and tested range of publicly accepted and understood technologies that are a valuable tool in voting system design and implementation." I respectfully disagree in that barcodes in ballots have not been thoroughly vetted or tested according to Harri Hursti. (Please let me know if believe Mr. Hursti is incorrect, i.e., if you are aware of a formal study on this issue.) And since barcodes in ballots are a relatively new concept, I think it's a bit of a stretch to say they are "publicly accepted." On the contrary, most people I've told feel the barcodes would be an invitation to fraud. Meanwhile, most voters who have used ballot marking devices already have no way of knowing that it is the barcodes (which they can't read), rather than the text (which they can), that is actually counted as their vote. Without this knowledge, their opinion on the issue is necessarily uninformed.

2. "They avoid many of the pitfalls of single optical mark interpretation and offer integrity safeguards that are absent in other forms of 'raw' visually stored data." I disagree that there is a serious problem with optical mark interpretation. In Minnesota's statewide recount, out of 2.92 million ballots cast, just 14 could not be decided unanimously by the bipartisan state canvassing board. https://www.sos.state.mn.us/media/3078/minnesotas-historic-2008-election.pdf

3. "Our voting systems will be more secure if we make it easier, not harder, to more accurately count or recount ballots." Again, I respectfully disagree to the extent you imply that barcodes will make it easier to more accurately count or recount ballots. If the votes are manipulated, the results will not be accurate at all, and it will be harder, not easier, to discover this because voters can't read and thus can't verify the bar codes.



On Wednesday, May 2, 2018 at 12:14:34 PM UTC-7, Bernie Hirsch wrote:

There are a number of other reasons.  To avoid repetition here, please see the entirety of our discussion from the past several days.  Thank you.

-----Original Message-----
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 15:12
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

Kevin: Thank you for bringing attention to this important issue. Why include a barcode at all? The only reason I can think of is to prevent voters from verifying that their vote was recorded accurately.

--

To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.



---
This email has been checked for viruses by AVG.
http://www.avg.com


Virus-free. www.avg.com

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 5:23:55 PM5/2/18
to Duncan Buell, vvsg-cybersecurity, Bernie Hirsch, jennif...@gmail.com

Election officials have no problem with taking the time and doing their job right. Unfortunately, many of them have arbitrary deadlines they are statutorily required to meet.

 

If you want election inspectors to do their jobs well and correctly without machine assistance, you’re going to have to convince the public, the press and most importantly legislators to go back to waiting for days to get results.

 

An optical scan tabulator no more reads the same information that a voter is reading than a barcode scanner does. The optical scan looks for the position of marks relative to the timing marks and then compares that against internal programming. At no point is it verifying that the result it comes up with matches the name the voter selected, and the scan process is completely opaque to the voter. If there is a mistake in the programming or the timing marks, the voter will never know. Similarly in a barcode scanner, it’s looking for marks relative to position indicators at the periphery of the barcode, and processing that against internal programming. That is why the gold standard for determining voter intent will always be public review of the paper ballot record. But there is no public or political will for the kind of time and resources that full hand counts require, which is why we have to turn to the compromise solution of audited machine counting.

 

Thank you,

Tony Bridges

WisVote Elections Specialist

Wisconsin Elections Commission

To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.


---
This email has been checked for viruses by AVG.
http://www.avg.com

 

--
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

jennif...@gmail.com

unread,
May 2, 2018, 5:30:08 PM5/2/18
to vvsg-cybersecurity, jennif...@gmail.com, bhi...@microvote.com
Bernie:

That optical scanners are also opaque is not in my opinion a sufficient reason to add a second wholly unnecessary layer of opacity in the form of unverifiable barcodes. Again, I refer you to the Minnesota 2008 recount where just 14 hand marked paper ballots out of almost 3 million could not be agreed upon. https://www.sos.state.mn.us/media/3078/minnesotas-historic-2008-election.pdf.

You state that we should use barcodes because they "store data visually in a way that can easily, compactly and accurately be scanned by a cOmPuTeR." Again, that they CAN do it is not the point. The point is that they allow votes to be flipped without voters knowing it. That's a pretty hefty price to pay when the Minnesota recount shows there isn't a real problem with hand marked paper ballots. 

You also state that "Their addition does not in any way alter the human readable information on the same physical ballot that may also be scanned by a cOmPuTeR or manually read by a human." Even if true, that's not a reason FOR using barcodes in the first place. Moreover, as you noted, manual recounts and manual audits are far from guaranteed.

You further state that the "The barcode creates an alternative and additional method of storing data on the media." Why is this important enough to justify unverifiable barcode voting?

Next, you state that bar codes provide a means to more easily and accurately retrieve data. Why is it so much easier to run barcodes through a scanner than to run handmarked paper ballots through a scanner? And even if it is marginally easier, absent a significant existing problem with the handmarked paper ballots, the risk of fraud inherent in unverifiable barcode voting should outweigh the marginal benefit of increased ease.

Finally, you state that barcodes are "more accurate." Perhaps there is a study supporting this. If so, please let me know. In the meantime, even if barcodes are somewhat more accurate in the absence of fraud, we live in a world where fraud is a significant possibility that cannot be disregarded. Assuming as we must that people will try to manipulate the votes, it makes little difference that barcodes may be somewhat more accurate if such people did not exist.
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

Schneider, Marc I

unread,
May 2, 2018, 5:33:30 PM5/2/18
to Bernie Hirsch, jennif...@gmail.com, vvsg-cybersecurity

Bernie,

 

I agree that data can be manipulated downstream after a voter verifies their ballot selections. However, I disagree that it can be manipulated downstream in an undetectable way. Software independence is all about detecting downstream manipulation. For software independence to work, you need to have the information that the voter verifies used during the audit. Bar codes confuse the issue, and there are other technologies which are human readable and address storage of ballot choices on paper. The use of a bar code implies that the system is printing the bar code on paper. These systems can print ballot selections that do not suffer from the issues associated with humans making marks on paper just as easily as they can print bar codes. The only disadvantage (from a data storage and readback point of view) is that human readable ballots do not store the information as densely as bar codes.

 

While E2E systems may solve this issue in the future, they are not yet a thoroughly understood and vetted technology.

 

Thanks,

Marc Schneider

Office: 703-983-0487

Cell: 703-667-0586

 

From: Bernie Hirsch [mailto:bhi...@microvote.com]
Sent: Wednesday, May 02, 2018 5:14 PM
To: jennif...@gmail.com; 'vvsg-cybersecurity' <vvsg-cybe...@list.nist.gov>
Subject: RE: [vvsg-cybersecurity] Barcodes on ballots

 

Jennifer,

noah....@gmail.com

unread,
May 2, 2018, 5:43:57 PM5/2/18
to Bernie Hirsch, jennif...@gmail.com, vvsg-cybersecurity
Is there a business case such as the data read or interpretation error rate, or precinct scanner speed rate, cost (other than development costs already expended), that would point to barcode over OCR of printed ballot choice text as the better tech?   If so what’s that difference?

Thanks and sorry if I missed the answer earlier in the thread.

Noah Praetz

Please excuse typos and other grammatical issues that may be in this communication.  This was sent from my iPhone.  

Bernie Hirsch

unread,
May 2, 2018, 5:54:20 PM5/2/18
to Bridges, Tony - ELECTIONS, Duncan Buell, vvsg-cybersecurity, jennif...@gmail.com

Tony,

 

Well said!

 

I would add that we are promoting a new type of “gold standard” system audit specifically designed to leverage the intense and exhaustive EAC testing and certification program.  I have mentioned it before.  It’s called a Pre (and/or Post) Election Cybersecurity Sweep (PEPCS). It is technology agnostic, which means it will work for all certified fielded voting systems.  It verifies that the system is correctly configured as certified and has not been altered, either intentionally or unintentionally.  It can be run before, during or after every election.

 

We have trained professionals to perform the sweep as a service for our system, but to avoid the “fox guarding the henhouse” scenario can also train local personnel to perform the audit.  “During the sweep we use the System Identification Tools required with system certification to compare the digital signatures for the system against the ones in repository with the EAC.  These signatures were created during the trusted build process by an independent, certified voting system test lab.  We also verify the integrity of the election specific files.  Then we examine the component seals, decals and other physical component protections looking for signs of tampering.

 

Bernie Hirsch

Chief Information Officer

MicroVote General Corp

 

From: Bridges, Tony - ELECTIONS [mailto:Tony.B...@wisconsin.gov]
Sent: Wednesday, May 02, 2018 17:24
To: Duncan Buell; vvsg-cybersecurity
Cc: Bernie Hirsch; jennif...@gmail.com
Subject: RE: [vvsg-cybersecurity] Barcodes on ballots

 

Election officials have no problem with taking the time and doing their job right. Unfortunately, many of them have arbitrary deadlines they are statutorily required to meet.


Virus-free. www.avg.com

Jennifer Cohn

unread,
May 2, 2018, 6:03:38 PM5/2/18
to Bernie Hirsch, Bridges, Tony - ELECTIONS, Duncan Buell, vvsg-cybersecurity
Tony and Bernie:

Again, your main argument seems to be that because optical scanners are already opaque, we might as well go ahead and add a second layer of opacity (along with a second layer of opaque vendors, repair people, installers, etc. for the barcode balloting devices themselves).

We aren't talking about "no machine assistance" because we aren't talking about eliminating optical scanners. So that comment isn't convincing to me.

To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.



---
This email has been checked for viruses by AVG.
http://www.avg.com

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

 

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov


Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.

To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.


Virus-free. www.avg.com

James Simmons

unread,
May 2, 2018, 6:08:42 PM5/2/18
to Duncan Buell, vvsg-cybersecurity
Duncan,

"I don’t care how hard it is or how long it takes for election officials to do their job. That’s their job. The goal is to make sure they get it right, not to make sure they get to “Miller time” on Election Day. Sorry, election officials, but that really ought to be the idea. We get the right result, and if it takes some extra effort, well, that’s what has to be done."

While I wholeheartedly agree with Susan's comment that we should try to discuss these topics on their merits and with respect towards one another, comments like this one sure make that difficult. If this truly reflects your opinion of how election officials view their job, your understanding is flawed and, in my view, reduces the credibility of your generally sound arguments. No one who actually works in elections "get to 'Miller Time' on Election Day". Most struggle mightily with circumstances far outside their control just to meet legal deadlines and requirements. 

For a standard to be meaningful - that is, widely adopted and effective - it MUST take into account the relative effort required to implement it. If voluntary guidelines require more resources to implement than can be made available, they just won't be adopted and we're all wasting our time here. Election officials work tirelessly, and more often than not their reward is closer to snide comments like yours than appreciation from the people they're serving.

I don't have a strong opinion on barcodes on ballots (other than a general belief that we should err towards providing requirements on how to use various technologies effectively over banning them), but I believe this statement was both out of line and counterproductive to the objectives of this effort, and we as a group should hold ourselves to a higher standard in what we write.

James

On Wed, May 2, 2018 at 2:01 PM, Duncan Buell <duncan...@gmail.com> wrote:
I have about a dozen emails in this thread that I have not read because I am jammed up right now until a 1230pm tomorrow event.

But Jennifer could not have said it better.

Barcodes are not transparent or voter-verifiable unless voters are provide at the polls with all the technology necessary to verify. And we know that is not going to happen, for the most part, is prevented by state law in many places, and is in general an unrealizable fantasy. They are a showstopper, and should be rejected out of hand.

Voter marks are indeed a problem. But they do leave marks to adjudicate. Barcodes do not unless there is embedded into law and practice a believable and serious audit process that statistically verifies that the barcode that is counted correlates 100% with the English that is read by the voter. Unless that is part of the law that permits barcodes, then barcodes should not be permitted, period.

I don’t care how hard it is or how long it takes for election officials to do their job. That’s their job. The goal is to make sure they get it right, not to make sure they get to “Miller time” on Election Day. Sorry, election officials, but that really ought to be the idea. We get the right result, and if it takes some extra effort, well, that’s what has to be done. Democracy is too important to become secondary in importance to efficiency in tabulation.


Duncan Buell
duncan...@gmail.com



On May 2, 2018, at 4:51 PM, jennif...@gmail.com wrote:

Bernie:

I looked through the thread and it seems this is where you summarized the reasons why you believe barcodes are a good idea. I'd like to go through them briefly.

1. "Barcodes provide a thoroughly vetted and tested range of publicly accepted and understood technologies that are a valuable tool in voting system design and implementation." I respectfully disagree in that barcodes in ballots have not been thoroughly vetted or tested according to Harri Hursti. (Please let me know if believe Mr. Hursti is incorrect, i.e., if you are aware of a formal study on this issue.) And since barcodes in ballots are a relatively new concept, I think it's a bit of a stretch to say they are "publicly accepted." On the contrary, most people I've told feel the barcodes would be an invitation to fraud. Meanwhile, most voters who have used ballot marking devices already have no way of knowing that it is the barcodes (which they can't read), rather than the text (which they can), that is actually counted as their vote. Without this knowledge, their opinion on the issue is necessarily uninformed.

2. "They avoid many of the pitfalls of single optical mark interpretation and offer integrity safeguards that are absent in other forms of 'raw' visually stored data." I disagree that there is a serious problem with optical mark interpretation. In Minnesota's statewide recount, out of 2.92 million ballots cast, just 14 could not be decided unanimously by the bipartisan state canvassing board. https://www.sos.state.mn.us/media/3078/minnesotas-historic-2008-election.pdf

3. "Our voting systems will be more secure if we make it easier, not harder, to more accurately count or recount ballots." Again, I respectfully disagree to the extent you imply that barcodes will make it easier to more accurately count or recount ballots. If the votes are manipulated, the results will not be accurate at all, and it will be harder, not easier, to discover this because voters can't read and thus can't verify the bar codes.



On Wednesday, May 2, 2018 at 12:14:34 PM UTC-7, Bernie Hirsch wrote:
There are a number of other reasons.  To avoid repetition here, please see the entirety of our discussion from the past several days.  Thank you.

-----Original Message-----
From: jennif...@gmail.com [mailto:jennif...@gmail.com]
Sent: Wednesday, May 02, 2018 15:12
To: vvsg-cybersecurity
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

Kevin: Thank you for bringing attention to this important issue. Why include a barcode at all? The only reason I can think of is to prevent voters from verifying that their vote was recorded accurately.

--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsubscribe@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsubscribe@list.nist.gov.


---
This email has been checked for viruses by AVG.
http://www.avg.com


--
To unsubscribe from this group, send email to vvsg-cybersecurity+unsub...@list.nist.gov
Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecurity+unsub...@list.nist.gov.

Jennifer Cohn

unread,
May 2, 2018, 6:39:55 PM5/2/18
to Bernie Hirsch, Bridges, Tony - ELECTIONS, Duncan Buell, vvsg-cybersecurity
Bernie: Unfortunately, the new gold standard system you described sounds so complicated it made my head spin. And if I can’t follow what it means then neither can the average voter, which basically equates with no public oversight, which means no transparency. Again, if fraud avoidance is the goal (as I believe it should be), then transparency must be viewed from the perspective of the public, not election insiders or the people they hire (who voters don’t know and have no reason to trust).  

Sent from my iPhone

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 6:40:35 PM5/2/18
to Jennifer Cohn, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity

I can't speak for Bernie. My point is that barcodes paired with a human-readable VVPAT in reality are no more opaque than a system we have already come to accept. I do not presently have a business need that barcodes meet and optical scan does not, but I do know that if local election officials in the future do decide they have a need that is met by barcodes, they will use them regardless of what we say here. I think it is much more useful to regulate than to prohibit any given technology. Any technology can be used in an unsafe manner, and almost any technology can be used in a safe manner, and I see our job as to provide guidance on how to use technologies safely. In the extreme, I think we can say a technology is simply too unsafe or too challenging to implement safely, but I think if we do that we need to be prepared to state in no uncertain terms why and in what ways it is too dangerous or we won't stop anyone.


My comments regarding machine assistance were in direct response to "I don’t care how hard it is or how long it takes for election officials to do their job." And while I haven't heard it from this group in awhile, there absolutely are influential groups pushing to remove all electronics from the voting process.
From: Jennifer Cohn <jennif...@gmail.com>
Sent: Wednesday, May 2, 2018 5:02 PM
To: Bernie Hirsch
Cc: Bridges, Tony - ELECTIONS; Duncan Buell; vvsg-cybersecurity
To unsubscribe from this group, send email to vvsg-cybersecur...@list.nist.gov

Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/vvsg-cybersecurity
---
You received this message because you are subscribed to the Google Groups "vvsg-cybersecurity" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vvsg-cybersecur...@list.nist.gov.

Jennifer Cohn

unread,
May 2, 2018, 6:52:53 PM5/2/18
to Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
Tony, I think you are mistaken when you say we have come to accept the current system. Many election integrity advocates and experts do NOT accept the current system. I for one am not a fan of VVPATS bc (among other reasons) voters don’t have X-ray vision and thus have no way of knowing if their vote as recorded & counted inside the machine matches the VVPAT and their intended selections. We have an opportunity to move toward more transparency in the form of hand marked paper ballots. 

Let’s not double down on opacity by embracing yet another type of balloting that voters can’t verify, especially when I have not heard of a single academic study showing that barcode balloting improves any aspect of the process, much less improves it enough to justify more opacity and another layer of unvetted vendors, repair people, installers, etc. 

By the way, have any academic studies been conducted on how barcode ballots fare in terms of accurate auditing or voters’ ability and willingness to catch and correct errors? 



Sent from my iPhone

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 7:10:18 PM5/2/18
to Jennifer Cohn, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity

It is true that voters do not have X-ray vision and can't tell if their vote was recorded and counted properly. That is just as true of optical scan machines as it is of barcode readers or DREs. In fact, voter secrecy means that even in a hand-count the voter can only be certain their vote was counted correctly by observing the entire count. Even audits only truly address that problem if every ballot is audited. If you have a solution to that problem that maintains voter secrecy, I would love to hear it. The only solutions I've heard are variants on zero-knowledge proofs that only work in highly artificial election scenarios.


I do not pretend to know the business needs of every election jurisdiction in the country. What I do know is that if election officials feel the need for a technology, they will find a way to do it. And without recommendations on how vendors should implement it, they will likely do so in an unsafe manner.



From: Jennifer Cohn <jennif...@gmail.com>
Sent: Wednesday, May 2, 2018 5:52 PM
To: Bridges, Tony - ELECTIONS
Cc: Bernie Hirsch; Duncan Buell; vvsg-cybersecurity

Jennifer Cohn

unread,
May 2, 2018, 7:24:47 PM5/2/18
to Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
In sum, the only argument for barcodes seems to be that, although they make it a lot easier for fraud to go undetected (bc voters can’t read the barcodes), they MIGHT be more accurate than hand marked paper ballots assuming no fraud occurs, but we don’t have studies to confirm or quantify this.

Meanwhile, we also don’t have the benefit of usability studies to determine the extent to which voters are able to detect errors in even the human readable portion of these barcodes ballots or the extent to which voters will be willing to start over if they do detect a problem. VVPATS did not fare well under Ted Selker’s studies. How can we in good conscience green light yet another computer generated paper printout without the benefit of such studies?

Also, even if barcodes allow for more accurate scanning than handmarked paper ballots (which has not been shown), this is not a reason to use barcodes in lieu of computer marked ovals which voters could at least verify. If someone disagrees, please let me know bc I don’t believe I’ve seen this last point addressed. 

Finally, how is it not a fraud on the public to describe barcoded paper printouts as “voter verifiable” when the only part of the printout actually counted as your vote-the barcodes—cannot be read by humans! If we do green light these things, we should at least caution vendors and election officials against calling them “voter verifiable.” We do not want to be complicit in misleading the public.

Sent from my iPhone

On May 2, 2018, at 3:37 PM, Bridges, Tony - ELECTIONS <Tony.B...@wisconsin.gov> wrote:

Jennifer Cohn

unread,
May 2, 2018, 7:30:54 PM5/2/18
to Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
Unfortunately, we must consider more than the desires of election officials, some of whom may not fully comprehend the vulnerabilities and who may have an inherent human bias toward doing what is easiest. I do not mean to criticize, but such is human nature. We must also consider the very real vulnerabilities that academics, IT experts, and EI advocates have identified. And we must not dismiss the importance of restoring public trust in our elections. 

Sent from my iPhone

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 7:32:02 PM5/2/18
to Jennifer Cohn, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity

Saying that the only thing that's counted on barcode ballots is the barcode is exactly as accurate as saying the only part of the ballot that's counted on a hand-filled optical scan ballot is the bubbles. Nothing ties the bubble to the selection next to it any more than something ties the barcode to the printed selections. It is a layer of opacity, but it's not an additional layer it's the same layer.


I'm not an advocate for barcodes. But I understand the reality that when we say here that we ban a technology, all we're really doing is giving up our opportunity to suggest guidelines on how that technology could be made safer and more transparent.



From: Jennifer Cohn <jennif...@gmail.com>
Sent: Wednesday, May 2, 2018 6:24 PM

To: Bridges, Tony - ELECTIONS
Cc: Bernie Hirsch; Duncan Buell; vvsg-cybersecurity

Jennifer Cohn

unread,
May 2, 2018, 7:37:40 PM5/2/18
to Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
Tony: I’m sorry but that I didn’t follow at all. 

Sent from my iPhone

Duncan Buell

unread,
May 2, 2018, 7:50:38 PM5/2/18
to vvsg-cybersecurity, Bridges, Tony - ELECTIONS, Bernie Hirsch, Jennifer Cohn
Let’s try to summarize some of the comments:

From James Simmons:
A rebuke to me about my comment that making the job of the elections officials simpler should not take precedence over the requirement that they get things right.

Comments from Bernie Hirsch about a new software approach to verifying security.

Comments from Bernie Hirsch that technology like barcodes COULD be implemented properly. And that E2E would make things better.

Comments that some people want to do away with electronics altogether.

Here are my positions:
1) If that which is counted as the cast vote is a barcode, and that which is read by a voter is an English version of what is purported to be in that barcode, then it is false on the face of it that the process is “voter verifiable”. Period. End of discussion. Under any system in which the barcode is what is counted, then it’s either not voter verifiable or else there must be an open and transparent process (like a big poster in every polling place) as to what bar code goes with what vote. To argue otherwise is intentionally to distort traditional meanings of English words and their semantics.

2) If that which is counted is the barcode, but that which is viewed is English text, then there needs to be a requirement for a statistical audit of all votes to ensure that the barcodes match up with English text to a statistically satisfactory level.

3) If that which is counted is the barcode, then under no circumstances can anyone argue that the process of counting votes is software independent. Not even if done by one software vendor, or two, or twenty. Not without satisfying point 2 above. The process is not software independent, although it’s veracity might be statistically checked with an audit.

4) Yes, I believe software independence is a MINIMAL requirement for conducting elections. I have written an enormous number of lines of code. I have been part of huge projects (e.g., the largest single computation [at the time] in the history of the U.S. intelligence community). Software is hard. Software independence is a minimum requirement, because software is hard.

5) Indeed, my comment about “Miller time” was perhaps over the top. HOWEVER, I have read far too many arguments to the effect that quality and veracity can be compromised in order to simplify the job done by election officials. The ease of conducting elections is not a priority. We expect plumbers to crawl underneath houses. We expect police and fire to be out in inclement weather. We expect university professors to grade papers (I know, not really the same, but grading 70 exams in 24 hours so as to meet deadlines?) We expect the people who sign up for jobs with constraints and bursty activity to be willing to deal with those issues. I really don’t care that the election officials might have a long night after Election Day. I do care that we can make the task as straightforward (note that I did not say “simple”) as possible, but I am not willing to compromise quality and veracity. Democracy is too important for that.

6) Finally: I agree strongly with Jennifer that the process has to make sense to J. Random Voter. I have a Ph.D. in math, indeed in number theory. I certainly understand E2E. Do I think I could explain that to J. Random Voter and that J. Random Voter would understand completely? No. No possibility of that. The process in contrast needs to be something that the average voter can understand, and the vetting of the process needs to be something that the average voter can understand. Otherwise, we are in danger of losing the trust of the electorate.

7) For my money, this means voter marked paper. Period. End of discussion. I have a hard enough time explaining details to the self-selected group of computer science students who get to my middle-range classes. I don’t think anything other than voter marked paper is anything other than faith-based voting for the average voter of South Carolina. And I think all the arguments in favor of this technology or that because it has Wonderful Property X or Fabulous Characteristic Y are just flat bogus. If it can’t be transparent to the voter as the voter casts the ballot, and it can’t be understood by the average voter (about 75% of whom in South Carolina, if memory serves, don’t have a college degree), then it just should not be used.

Jennifer Cohn

unread,
May 2, 2018, 7:52:07 PM5/2/18
to Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
Tony and Bernie:

Do you agree that it is best practice to try to reduce the number of attack vectors? If so, your argument that scanners are also opaque (creating an attack vector) does not justify adding another layer of opacity via unverifiable barcodes from electronic ballot markers (an additional attack vector). 

Again, unless and until rigorous academic studies show compelling evidence of a benefit sufficient to outweigh these concerns (and that voters can actually detect errors on the human readable portion of the printout), I feel it is important to strongly discourage the use of barcode balloting and to perhaps even ban it outright pending the results of such studies. It strikes me as a matter of basic due diligence. 

Leaving this up to election officials may not be a great option because they may not have time to think through and analyze all of these pros and concerns and would assume barcode balloting must be acceptable if it is allowed.





Sent from my iPhone

Duncan Buell

unread,
May 2, 2018, 7:55:52 PM5/2/18
to vvsg-cybersecurity, Jennifer Cohn, Bernie Hirsch, Bridges, Tony - ELECTIONS
I think a large part of this discussion is about your last sentence.

“Could be” might well be true.

“Would be” is what many of us feel is much less likely… and the burden of proof is not on us but on the vendors.



Duncan Buell
duncan...@gmail.com




On May 2, 2018, at 7:31 PM, Bridges, Tony - ELECTIONS <Tony.B...@wisconsin.gov> wrote:

Boxbe  Bridges, Tony - ELECTIONS (Tony.B...@wisconsin.gov) is not on your Guest List | Approve sender | Approve domain 
Saying that the only thing that's counted on barcode ballots is the barcode is exactly as accurate as saying the only part of the ballot that's counted on a hand-filled optical scan ballot is the bubbles. Nothing ties the bubble to the selection next to it any more than something ties the barcode to the printed selections. It is a layer of opacity, but it's not an additional layer it's the same layer.

I'm not an advocate for barcodes. But I understand the reality that when we say here that we ban a technology, all we're really doing is giving up our opportunity to suggest guidelines on how that technology could be made safer and more transparent.


From: Jennifer Cohn <jennif...@gmail.com>
Sent: Wednesday, May 2, 2018 6:24 PM

To: Bridges, Tony - ELECTIONS
Cc: Bernie Hirsch; Duncan Buell; vvsg-cybersecurity

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 8:01:11 PM5/2/18
to Jennifer Cohn, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity

I agree that it is a best for security to reduce the number of attack vectors. However, it is a well-known maxim in the security space that security that does not meet the needs of users is no security at all because users will find a way around it.


Electronic ballot markers meet a necessary need by providing the capability for voters with disabilities to vote privately and independently. When only people with disabilities use the electronic ballot markers, you reduce the voter secrecy for people with disabilities because a small enough number of people use them that it becomes statistically feasible to uniquely match them with a ballot.


I don't particularly care if those ballot markers use barcodes or not. But what I am saying is that whether you are using optical scan ballots or you are using barcodes, either way what is being counted is not the English text, to borrow from Duncan.



From: Jennifer Cohn <jennif...@gmail.com>
Sent: Wednesday, May 2, 2018 6:52 PM

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 8:03:13 PM5/2/18
to Duncan Buell, vvsg-cybersecurity, Jennifer Cohn, Bernie Hirsch

And I'm telling you that realistically we have two options: Either you give vendors guidelines on how to do this safely and let the EAC and VSTLs test for them, or the vendors will do it on their own with no guidance.



From: Duncan Buell <duncan...@gmail.com>
Sent: Wednesday, May 2, 2018 6:55 PM
To: vvsg-cybersecurity
Cc: Jennifer Cohn; Bernie Hirsch; Bridges, Tony - ELECTIONS

James Simmons

unread,
May 2, 2018, 8:11:28 PM5/2/18
to Jennifer Cohn, Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
Jennifer (and all!) —

Certainly the group needs to consider more that the experience and expertise of election officials, but that does not mean the real-world needs (or desires, if you prefer) of the people responsible for implementing a standard shouldn’t be given strong consideration. Most of the people on this thread will never run an election. Most will have the benefit of comfortable conversations like this, or lengthy studies and research that will not be endlessly scrutinized by the media, politicians, courts, and the public if they don’t balance security AND transparency AND accessibility AND usability AND timeliness. 

It’s probably fair to say that there are election officials out there who don’t understand the vulnerabilities identified by others with academic expertise (though I can assure you from personal experience that a number of them understand them quite well). At the same time, we (collectively) must appreciate that their desires are generally formed by experiences working under constraints that those of us who don’t have to fight these battles in the trenches probably cannot comprehend or appreciate. 

I can’t stress enough my deep belief that for us to move the needle at all in our collective desire for more transparent, accurate, and ultimately democratic elections, we have to recognize that this is like any other exercise in vulnerability management — finding the right balance between feasibility and acceptable risk, and while in principle I want to make statements like “there’s NO level of acceptable risk in elections”, in practice we know that’s not realistic. 

I’ve seen members of this group take a position along the lines of, “it’s our responsibility to propose the most secure system possible; we should not compromise on this and if jurisdictions then chose not to follow our recommendations, the resulting anarchy is on them”. But that’s not the way it’ll happen. 

First, this process doesn’t come with any associated funding, and I would opine (admittedly without research, but certainly from experience) that the entire amount of funding available in this industry is off by an order of magnitude. So without finding ways to introduce efficiencies into the election administration process, this standard will not gain traction. 

Second, and related, for this to be meaningful you must have vendors that are willing to build and support these systems. As a vendor representative I can say that I care very much about elections and consider them important enough to devote my career to (with long hours and less Miller Time than if I were off building mobile games or other such pursuits), but nonetheless for me to build something it had to be commercially viable. 

Third, given the above jurisdictions will either stick to older standards or roll their own, meaning all of us who care about this topic are no closer to accomplishing our goals and have wasted each other’s time in the process. 

Fourth, jurisdictions will exert pressure at the state and federal level arguing that these standards and unrealistic and unsupportable, the VVSG is a waste of time, and the EAC is a failed experiment. 

Strong elections are vital to a functioning democracy. We all believe this. But we cannot ignore real-world constraints in the form of statutory requirements, economics, and political realities and hope to have a meaningful impact. 

Sorry for the preaching, but I’m becoming more and more concerned by our apparent inability or unwillingness to take issues past absolutes into the realm of collaborative compromises. 

James


Sent from my iPhone

Jennifer Cohn

unread,
May 2, 2018, 8:20:19 PM5/2/18
to Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
Making reasonable accommodations for voters with disabilities is a terrible reason to force unverifiable (inherently less secure) voting on the entire electorate. This same type of argument was once made in support of touchscreen voting machines which many members of the disabled community now feel should be eliminated due to security concerns. 

Sent from my iPhone

Jennifer Cohn

unread,
May 2, 2018, 8:29:14 PM5/2/18
to James Simmons, Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
James: Without the benefit of rigorous academic studies, how can we in good conscience give these barcode printouts a pass? By doing so, we send a signal that perhaps such studies have been conducted. Because surely we wouldn’t give a green light without this basic level of due diligence. And I do not agree that a completely hypothetical future clamoring for barcodes justifies giving barcodes a pass. 

Sent from my iPhone

Jennifer Cohn

unread,
May 2, 2018, 8:34:01 PM5/2/18
to James Simmons, Bridges, Tony - ELECTIONS, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
James, Tony and Bernie: 

What are your thoughts on using the phrase “voter verifiable” to describe these barcodes printouts? I feel it is incredibly misleading (since the barcodes are not voter verifiable at all) and vendors should be cautioned against using it. Maybe we can find some common ground on this point? Thanks. 

Sent from my iPhone

On May 2, 2018, at 5:11 PM, James Simmons <james....@everyonecounts.com> wrote:

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 8:47:37 PM5/2/18
to Jennifer Cohn, James Simmons, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity

I believe that voter verifiable should not be used to refer to the barcodes. But I believe that using it to refer to the English selection printout that comes with the barcode is no more misleading than referring to an optical scan paper ballot as voter-verifiable. In either case, the voter is able to verify the official record, the English selections, but is not able to independently verify what's being counted, the barcode or the arrangement of bubbles and timing marks.



From: Jennifer Cohn <jennif...@gmail.com>
Sent: Wednesday, May 2, 2018 7:33 PM
To: James Simmons
Cc: Bridges, Tony - ELECTIONS; Bernie Hirsch; Duncan Buell; vvsg-cybersecurity

Duncan Buell

unread,
May 2, 2018, 8:49:26 PM5/2/18
to Bridges, Tony - ELECTIONS, vvsg-cybersecurity, Jennifer Cohn, Bernie Hirsch
Or it is written into the standards that they may not do it, and since too many states require certification, the vendors won’t do something they know they cannot sell. That is part of why getting the prohibition against The Wrong Idea is so important. 

Let’s get the priorities in the right order.
We want to do that which we know is verifiable and correct and will lead to transparency and trusted results.
We specify for vendors that which is deemed acceptable based on the standards of what is verifiable and correct and transparent and trustworthy.
The vendors build systems.

That’s the order. The reverse sequence is not the appropriate order.


Duncan Buell
duncan...@gmail.com



Jennifer Cohn

unread,
May 2, 2018, 8:54:45 PM5/2/18
to Bridges, Tony - ELECTIONS, James Simmons, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity
Tony: The question was whether it is acceptable for vendors and election officials to refer to the paper printout overall (not limited portions of it) as “voter verifiable”. Vendors &officials touting these things will not and have not included the caveat “I’m only referring to the text, not the barcodes” when discussing them. 

Sent from my iPhone

Jennifer Cohn

unread,
May 2, 2018, 8:58:08 PM5/2/18
to Duncan Buell, Bridges, Tony - ELECTIONS, vvsg-cybersecurity, Bernie Hirsch
Tony: following up on my last comment, what makes you assume the written portion of the printout will be treated as the “official record”?

Sent from my iPhone

Duncan Buell

unread,
May 2, 2018, 9:02:09 PM5/2/18
to Bridges, Tony - ELECTIONS, Jennifer Cohn, James Simmons, Bernie Hirsch, vvsg-cybersecurity
This is absurd on the face of it. Sorry, but there is no other thing to be said.

A voter who looks at filled in bubbles does not, to be sure, know that the scanner will read the bubbles correctly. 
But that voter knows that the bubbles are next to the names, and anyone who looks at the ballot will know that the bubbles are next to the names.

A voter who looks at a barcode has NO CLUE as to what is in there unless there is permission to use a phone with a scanner, or a big poster with a table of barcodes and choices, or something similar. A voter looking at a barcode must absolutely have some other mechanism for even beginning to believe that the barcode is correct. 

This is totally and completely different from bubbles or arrows in a voter marked paper ballot. I really cannot believe that anyone is making a contrary argument. My undergraduates would be laughing at this. I teach a lot of computer science students. If a first year computer science student would conclude that this argument is bogus, then I would probably maintain that the argument is bogus.

I will bring up here a comment based on my youth in Louisiana. There’s a good Louisiana expression: “crawfishing”. For those of us in the know, we know that if one goes to grab a crawfish, it won’t move backwards out of the way. It will move sideways out of the way. The term “crawfishing” is a well known Louisiana expression for those who dodge a question by moving sideways. We are seeing a great deal of this here.

Let’s get to the point. Barcodes are not voter verifiable, and they are not software independent, and they are not transparent and open to J. Random Voter. If any of those three are deemed important, then barcodes must be prohibited as impediments to voter verifiability, software independence, and transparency.

Works for me.

done.


Duncan Buell
duncan...@gmail.com



Bernie Hirsch

unread,
May 2, 2018, 9:10:05 PM5/2/18
to Duncan Buell, vvsg-cybersecurity, Bridges, Tony - ELECTIONS, Jennifer Cohn

Duncan (and All),

 

Your position:  If that which is counted as the cast vote is a barcode, and that which is read by a voter is an English version of what is purported to be in that barcode, then it is false on the face of it that the process is “voter verifiable”.

 

Tony is right.  Your position above is incorrect for multiple reasons (some of which I’ve added).

1.    Digital scanners don’t “count” the English version of a ballot.  Scanners use complicated proprietary software/hardware to INTERPRET light and dark areas on paper in an attempt to match that raw data up to a database of possible selections based on a number of parameters.  The process is entirely opaque, software dependent and virtually identical to the reading of printed barcode data (except it’s more proprietary then reading standard barcodes, and the raw data doesn’t have error correction built-in).

2.    I’m not an advocate of paper ANYTHING during an election.  Horrible usability and accessibility issues.  But if we must use paper as a storage medium, there is no difference between converting light and dark areas of the paper in the form of letters, numbers, bubbles, or barcodes to digital information.  The only real difference is how well those images are protected against corruption.  Hacking a paper ballot is relatively simple – just make an extra mark here or there.  Hacking a barcode with error detection is not going to be a trivial pursuit because of the built in integrity checking.

3.    It is an illusion that a voter is “verifying” anything.  Once cast their ballot is irrevocably intermixed with everyone else’s, and almost always tabulated by software/hardware. If a post-election audit takes place, a relatively small number of ballots are sampled to see if the hand totaled tally matches the machine tally.  There is no way to ever know if the voter’s ACTUAL ballot was correctly tabulated.  For all we know the software/hardware flipped their ballot one way and a different ballot the opposite way, making the overall tally accurate but NOT tabulating their ACTUAL ballot correctly.

4.    The integrity and security of paper ballots with easily hacked raw data is almost entirely dependent on procedures and beyond the scope of this group, whereas barcodes are within scope.

5.    A hand-counted tally is going to use the “voter verifiable” section of the ballot, regardless of what other machine readable light and dark areas are present.

6.    A post-election audit could just as easily verify that a random sampling of scanned barcodes match the human readable information on ballots.  It would be an identical process to machine scanning using OCR, digital bubble detection, etc. and comparing those tabulated results to the human readable information.  A barcode audit might be superior because there are a great number of independently available applications and hardware to do the scanning and interpreting of the barcodes.

7.    Not all ballots will be ENGLISH.  We are now required and will most likely continue to be required to present the ballot in the alternative language of the voter, including any “voter verifiable” paper record.  Without the use of some type of foreign key to link these various representations of candidates to one tabulation record we will end up with a mess, especially when using OCR.

8.    Voters can do more than “read.”  In fact some of them can’t read due to illiteracy, non-written language or visual impairment.  Many of them can “listen” and “scan” and “touch.”  A well-designed fairly basic (by today’s standards) scanning smart phone app of the future could certainly mitigate the concerns of what few voters actually pay attention to verification in the first place by allowing them to scan their own ballot during the casting process.

9.    We don’t need fancy academic studies to prove that barcodes work or demonstrate our “due diligence.”  Just ask a Fedex driver.

10. Voters can currently bring their smart phones into the booth by law and use its camera to take a selfie with their ballot (or scan a barcode) in 20 states.

11. Guidelines and Standards are only effective if they offer guidance and are standard.  Creating a VVSG that is not implemented (like V1.1) is worse than no standard at all because it wastes everyone’s time and encourages isolated, less vetted new solutions or the continued use of legacy systems.

 

And having said that, I believe I’ve contributed quite enough to this discussion on barcodes, especially considering our system doesn’t even currently use them and our paper scanning in general is thankfully a relatively small percentage of our overall votes cast (I’m speaking from mucho personal experience here).  I will defer to the group for further comment and hope reason triumphs.

 

Thank you.

 

Bernie Hirsch

MicroVote General Corp

 

From: Duncan Buell [mailto:duncan...@gmail.com]
Sent: Wednesday, May 02, 2018 19:51
To: vvsg-cybersecurity
Cc: Bridges, Tony - ELECTIONS; Bernie Hirsch; Jennifer Cohn
Subject: Re: [vvsg-cybersecurity] Barcodes on ballots

 

Let’s try to summarize some of the comments:


Virus-free. www.avg.com

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 9:15:23 PM5/2/18
to Jennifer Cohn, Bernie Hirsch, Duncan Buell, vvsg-cybersecurity

When an optical scan tabulator reads a hand-filled paper ballot, the tabulator doesn't see the selections. It sees bubbles and timing marks, the same way a barcode scanner doesn't see the written selections, it sees lines or squares. They are basically the same technology, with a different spatial rendering. It does not make technical sense to say that one is more opaque than the other, so long as the human-readable selections are there and match what the voter selected.


In regards to my second paragraph, what we are creating here is voluntary guidelines vendors may choose to meet and states may choose to require. If election inspectors want a technology or feature that is prohibited by the VVSG, they will just pay vendors to create a way to do it that doesn't get approved by the EAC. That means hardware and code that never gets reviewed, and features that don't meet any standard. That's what has happened right now with modems in tabulators. Instead of blocking an insecure technology, the greatest assurance of security comes from providing guidelines for the correct way to implement it.



From: Jennifer Cohn <jennif...@gmail.com>
Sent: Wednesday, May 2, 2018 6:37 PM

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 9:20:24 PM5/2/18
to Jennifer Cohn, Duncan Buell, vvsg-cybersecurity, Bernie Hirsch

Yes. That would be the law here. If the barcode was the official record, then I think you would have a valid point, but I see no reason why it would be.



From: Jennifer Cohn <jennif...@gmail.com>
Sent: Wednesday, May 2, 2018 7:58 PM
To: Duncan Buell
Cc: Bridges, Tony - ELECTIONS; vvsg-cybersecurity; Bernie Hirsch

Bridges, Tony - ELECTIONS

unread,
May 2, 2018, 9:28:10 PM5/2/18
to Bernie Hirsch, Duncan Buell, vvsg-cybersecurity, Jennifer Cohn

Thank you Bernie for mentioning voters that do not read English due to language, vision or education barriers. I was mirroring Duncan's language and attempting not to muddy the waters, but it is vital to remember that a voting solution must work for all voters. If we selected out any other population of voters, especially one that constitutes nearly 15% of the electorate, and said that we didn't care about making it easier for them to vote we would (rightly) be excoriated in the media.



From: Bernie Hirsch <bhi...@microvote.com>
Sent: Wednesday, May 2, 2018 8:09 PM
To: 'Duncan Buell'; 'vvsg-cybersecurity'
Cc: Bridges, Tony - ELECTIONS; 'Jennifer Cohn'

Subject: RE: [vvsg-cybersecurity] Barcodes on ballots
 

Duncan (and All),


Virus-free. www.avg.com

--
It is loading more messages.
0 new messages