What follows is an initial quite technical report pertaining to what was labeled an “audit” of the ballot data transmitted over the internet on behalf of 119 voters using the Voatz platform in the Denver Colorado Municipal Election of May 7, 2019. The voters are military and overseas (UOCAVA) electors who chose to use the cell-phone based voting method.
Here is a paragraph that is part of the Terms and Conditions of participation in the “audit” process:
Responsibilites
The auditor shall conduct an audit of the mobile voting pilot by comparing the voter verified digital receipts (VVDRs) to the corresponding paper ballot images and cast vote record data provided by the jurisdiction. Similarly, the auditor may compare the VVDRs with the data recorded on the blockchain by utilizing the tools provided as part of the Service.
While auditing, we ask you to refrain from (1)Any activity that could lead to the disruption of our service (DoS), (2)Spamming, (3)Social engineering (including phishing) of Voatz staff or contractors, (4)Any physical attempts against Voatz property or data centers, (5)Sharing any receipts or images from the audit tool on a public forum without the prior written permission of the jurisdiction.
It is notable that the above instructions and the web-based facility provided limited access such that little can be learned from what I will call a review of digital image artifacts of ballot data transmitted by Voatz and the Denver Election Division on behalf of 119 presumably anonymous voters. Anonymity was provided by linking the artifacts using a long unreadable code associated with each voter such as HJK3SX5Z9xnSe62DXsN2x0bHkXsnMuMpFH9DlmF6AvG . The NCC referred to in the text is the National Cybersecurity Center in Colorado Springs. NCC’s partnership with Voatz for the Denver pilot project is supported by Tusk Philanthropies.
Context is available in the following article: https://www.nationalmemo.com/counting-voatz-inside-americas-most-radical-voting-technology/
Initial response to NCC in respect to the “audit” opportunity for the Denver 2019 Municipal Election
Harvie Branscomb, harvie [at] electionquality.com
The instructions associated with the “audit” were to connect
via internet to a Voatz server and obtain from there five sets of presumably
anonymous records related to 119 Denver UOCAVA voters who chose to use a
cell-phone based voting method that receives and delivers vote options and
selections over the internet. The offer of access to review did not include the
eligibility portion of the election process, and depended itself on records
that can be communicated over the internet rather than the physical versions,
to the extent they exist. The five sets
of electronic records provided, containing various forms of contest selections
tabulated in the Denver Municipal election are:
1) a digitally originated image of two sides of 119 full
text standard Dominion format ballots with contest selections printed into it
digitally, then printed at the Denver central count facility, imprinted with a
tracking number on Denver’s Canon imprinters, scanned by the Dominion Democracy
Suite voting system, redacted (presumably by Denver staff) to remove evidence
of style number, precinct number, and evidence of contests that define styles,
transferred to Voatz as a pdf for download from their server;
2) 119 pdfs containing indications of contest-selections
(and not the contest-options) sent (not in a verifiable manner but largely
anonymously) as an attachment by email to the jurisdiction and to each voter
after “casting” on the cell phone with instructions to write to
mailballots@denvervotes.gov (?) with any disagreement; but when it appeared on
the Audit Suite that pdf was redacted also to remove indications of style by
removing the contests that were not countywide;
3) an online browser that accesses blocks in a blockchain
hosted at unknown locations that serves up two payload records per block, each
of which can be digested and converted into a meaningful decimal number by
external software, including one called base64decoder. The browser that serves
up the two crypto keys associated with each block and then searches for the
digital payload that requires decoding is extremely inconvenient, error prone,
slow and impossible to fully automate (perhaps deliberately). The speed at
which the operation can be done manually means that very few presumed ballot
contents will be compared between electronic data sources. And at best only
semi-automated operation is possible. I have been testing various methods with
considerable difficulty.
4) An online Google spreadsheet contains the lookup table
between a string of numerical characters decoded from the digital payloads and
the contest option names. An examination of this array suggests that some
errors or discontinuities are included- such as row 577,578 that show the
contest choice in Spanish. This may suggest that a voter voted YES on both of
the two ballot questions using Spanish in the voter interface, perhaps
revealing their identity in so doing. It may be that this sheet also reveals
the count of votes for each contest choice (except for the ballot questions
where the two questions are not distinguished by the answers.) Other than the
ballot question choices, the other choices in this table probably share a
direct relationship with a voter (although the name of the voter is not
revealed here). About 105 entries do not contain candidate names but instead
“Redacted per CO State Law” that suggests that redaction has taken place here
too. I’ll cover the presumed need for redaction in a separate section, perhaps
in future.
5) Lastly a CVR file is made available as a .csv. The CVR file also does not include the
non-countywide contests or the ballot style or precinct column Dominion would
have exported. It also contains an “anonymous ID” column that the Dominion CVR
does not contain. The provenance of this sheet is not stated. While it could
for the most part be sourced from the Dominion voting system, the Anonymous ID
could not have been added by Dominion without extra programming (and
recertification). Therefore one must presume that the anonymous ID was added by
hand at Denver using a list of anonymous IDs supplied by Voatz – probably in
the form of filenames for the pdfs of the printed suitable for tabulation
ballot images. It is unclear from what process the CVR was created. It is clear
that manual manipulation was involved.
Unfortunately, not one of these 5 image sources are in a
form that has verifiable credibility from my perspective as auditor – meaning
it would match a physical source document that can be observed physically to
establish credibility for my remote access only to a digital copy. The image
that comes closest is the ballot image – categorized above as #1.
#1 ballot image – is known to be sourced from the Denver
Dominion scanner #3 (indicated in the CVR) and imprinter #8 because the
imprinted number appears in the image. Without the evidence of the imprinted
number in the image, one would not know if the image came directly from Voatz
software or from the Dominion scanner.
And as it happens I observed the ballots being printed on a small
printer, imprinted by Canon imprinter #8 and scanned by Dominion/Canon scanner
#3. However, these images have also been manipulated somewhere to produce what
is downloadable from Voatz – modified by the black bands that obscure style
markers, precinct and style text indicia and entire contest options and
selections. Ideally all audit documents would have a direct association with a
source document that is physically observable were I do ask to see it.
Apparently because of the evident requirement for redaction – I would not be
allowed to see the original ballot or cast vote record in original form.
#2 “voter-verified receipt” – is also a redacted pdf that is
not the same that was sent to the voter. There is no proof that any form of it
was sent to the voter or that the voter received it. There is no indication
whether the voter responded to the email sent to them or not or whether the
voter looked at the pdf in any form (printed on paper or onscreen). Thus from
the point of view of an “audit” – this is not credible evidence for voter intent-
it is far from verified although it is labeled as “Voter-Verified Receipt This
is the receipt that was sent to the voter” on the Voatz Audit Suite display.
That label appears to be faulty as neither I nor Voatz can know if the voter
verified the receipt without further information that is not apparently
available from Voatz. The jurisdiction may have some evidence in the form of an
email response from the voter, but the Audit Suite provides no such
information. Thus the image in #2 is not credible as a record of voter intent.
#3 encrypted data – is the data sourced from the block chain
that produces an encoded “payload” from which a string of numbers that index
into a lookup table is to be copied. There is no physical source record that
backs up the contents of the blockchain or gives it credibility – usually in a
convention ballot marker that would be a paper ballot that the voter had
verified or at a bare minimum had the opportunity to physically verify. The
multiple layers of obfuscation involved in encoding data obtained from an
interaction with a cell phone into the blockchain do not add any credibility to
the contents eventually obtained from within. The fact that data is stored in
the blockchain indicates that the Voatz is closer in design to a paperless DRE
than a ballot marker – and election results can be obtained from the
blockchain, perhaps with great difficulty. As mentioned above however, it
appears that election results can be obtained from item #4.
#4 – the lookup table – is of provenance unknown. It appears
not to come from the jurisdiction but rather from Voatz software and it
resembles in some ways the cast vote record without a visible correlation of
the voter selections to a single cell phone (and voter). It is doubtful that
there is a verifiable source document for this data, but rather only electronic
data stored in memory on a Voatz server at one point. This lookup table is not
offered with any supportive evidence or means to verify its accuracy, instead
it is offered as a crucial step in using the blockchain to verify accuracy of
other records such as the ballot image that once printed at central count is
used to tabulate the Voatz-collected input.
#5 cvr – is a collage of information from the Dominion
system and from Voatz – perhaps the string of characters printed from a Voatz
software-created ballot image was manually observed by Denver staff and added
to or verified against a list of numbers pasted into the resulting CVR that
also was partially redacted. Any of these electronic records could have been
hashed at the time of creation by trusted election officials and the hashes
committed in published public records as the hashes of the CVR from Dominion
are when the CO SOS manages a statewide RLA – but hashes that may have been created
by Denver for the entire election (if they followed the protocol for the state
RLA) would be useless for me to use to verify the authenticity of the CVR
produced by Voatz because the CVR has already been redacted after the hash
would have been made. If the jurisdiction had created a hash for every set of
contest columns, and published the records prior to commencing the RLA, and if
all the CVRs were published, then I as a remote observer might have gained
adequate confidence in the authenticity of the CVR with respect to the
tabulated paper ballots (that I would also need to have access to see).
My initial conclusion is that the data offered has
insufficient substantive credibility or means to establish it subject to a
request for further physical observation. As a credentialed watcher I did see 6
paper ballots being printed and then 118 imprinted and then scanned but that
experience was insufficient for me to establish that the redacted ballot images
later provided by the Voatz Audit Suite are authentic. The data collected by
cell phone has little credibility as voter-verified intent from an audit point
of view because the means of verification was at very best uncertain, not
measurable, and depending on transmission to both voter and jurisdiction from Voatz
servers offsite, leaving opportunities for strategic manipulation by various
parties. And also leaving open an opportunity for the voter to contest without
merit the recorded voter intent. According to information I personally obtained
from Voatz there is a possibility to obtain sensor information from the voter’s
telephone device in case of contest without merit – but this sounded highly
problematic in terms of data longevity and or voter privacy implications
regardless of the existence of a legal contest.
For these reasons it seems of only moderate value to
actually compare the 4 different datasets as well as extremely difficult to do
so. I have collected perhaps a hundred payloads that can be converted into that
many contest choices among reportedly 862 total. I can now presumably, with properly
programmed automation compare the contest choices collected from the blockchain
to cast vote record entries or manually and visually to the computer printed
marks on downloaded ballot images.
I will probably complete the semi-automated means to verify
whether those that I have collected actually do match, but have not had time to
do so yet. But even if all match, there
remains substantial doubt whether the voter intent was adequately transcribed
to the blockchain and to whatever software printed the resulting ballot images
that were sent by internet to the Denver counting center. And according to
reports from the survey of the voters themselves, there is substantial doubt
about the privacy of the voter intent under the circumstances of the voter
perspective. That topic is of great interest to me and may be the topic of a
further discussion from me, along with questions about unused or skipped blocks
in the blockchain and a review of the legal requirement to redact as well as
the extra concern about voter privacy that arises because the Voatz-produced
records are relatively rare in style and in format at the time of scanning. All
of these topics raise important issues for future use of the Voatz system as
does the credibility of data made available to “audit” and the
feasibility and efficacy of performing it as instructed.
I am however supportive of attempts to pioneer crowdsourced
reviews of elections and I thank the
jurisdiction and the NCC for arranging for this access to some accessible
evidence of the tabulation of the Voatz-involved ballots for purposes of
evaluating a portion of the current state of the Voatz product. It is good that
tests of internet voting experiments are being made with some opportunity for
independent oversight rather than without. Thanks are due to Voatz and Tusk for
their cooperation and I thank Denver for making extra arrangements for this
review to be made possible in parallel with the RLA and for the county’s
willingness to share information with the public.
Harvie Branscomb 5/19/2019