SF Open Source Voting - September 2017 Update / Newsletter


This update has an important and urgent call to action to help defend elections in California. Stop AB 840, the last-minute change that would weaken California election security at a critical time instead of strengthening it. Can you spare a moment to help?

Retweet this...

Disclaimer: while Chris Jerdonek is a member (and President) of the San Francisco Elections Commission, he provides this update as a member of the public and not as a Commissioner.


TABLE OF CONTENTS
  1. SF's open source voting project in SF Chronicle!
  2. Planning Phase RFP update
  3. SF Open Source Voting Technical Advisory Committee (OSVTAC) update
  4. Spotlight: Colorado's Open Source Election-Auditing project
  5. URGENT ACTION: Stop AB 840! Save election security in California!
1. SF's open source voting project in SF Chronicle!

The SF Chronicle published a great article on San Francisco's open source voting project last week. If you can't read the article because of a paywall, it might work to click through the following tweet using Twitter's mobile app.

2. Planning Phase RFP update

The consulting firm Slalom was selected as the winning bidder on San Francisco's RFP for the open source voting project assessment & planning phase: Congratulations, Slalom! Once the contract is finalized, all three RFP bids should become public (both Slalom's bid and the two non-selected bids).

3. SF Open Source Voting Technical Advisory Committee (OSVTAC)

The 5-member, newly formed Open Source Voting System Technical Advisory Committee (OSVTAC) has now held two meetings at SF City Hall, and things are moving along quickly. The committee now has its own website (hosted on GitHub).

At its second meeting, the committee approved the first iteration of its document of recommendations for the open source voting project. You can read the document online. Just like the committee's website, the recommendations are also hosted on GitHub. The recommendations are being developed in a way similar to how open-source software is developed. In addition to conventional methods like email, members of the public can also submit comments or suggested wording on GitHub, just like with open-source code. The committee will be able to discuss and vote on these suggestions at monthly meetings.

One key difference from an open source project though is that because of state and local open meeting laws, committee members aren't allowed to collaborate as a group outside of noticed meetings. This approach of soliciting public feedback on GitHub is a bit like how the Whitehouse solicited feedback on its draft source code policy last year.

The committee's next meeting is Thursday, September 21 at 6pm.

4. Spotlight: Colorado's Open Source Election-Auditing project

Another example of open-source election software happening right now for US government elections is the following election-auditing project for the State of Colorado. The company Free & Fair won an RFP that Colorado issued this summer. Colorado wants the software to be open source under the GPLv3 license (or something similar). While the license hasn't been confirmed / added yet, you can still follow along and watch the software being developed right now! Chris submitted a couple easy contributions (aka "pull requests") just to see what would happen (and also for fun!).

5. URGENT ACTION: Stop AB 840! Save election security in California!

This week (the week starting Sept 11), the California Legislature is on the verge of passing a terrible bill for election integrity and security. It is called AB 840

.

We need to act now because the California Legislature has only one week left in session. Sept. 15 is the last day. There is so little time because the bill was changed at the last minute, without ever getting a public hearing.

In brief, the bill would remove the legal requirement that all computer-counted ballots have to be subject to the random manual audit after each election (what the California Elections Code calls the "1 percent manual tally"). This is a hard-fought requirement that has been in place for over 10 years. Under the new wording, 30-40% or more of all ballots would be exempted from this requirement. This includes all provisional ballots and all vote-by-mail ballots arriving after Election Day. These ballots would create a huge target for hackers. At a time when election hacking is on the rise, the bill does exactly the opposite of what California should be doing to protect the integrity of the vote.

The change is being pushed by California Secretary of State Alex Padilla and CACEO (the association of county registrars). It was added at the last-minute on August 24 without any public hearings. This was long after the California Assembly passed the bill, and after the Assembly and Senate Elections Committees passed the bill without this wording.

How does this bill relate to open source voting? The security of an open source voting system depends not just on software, but also on the processes around the election. Even if you have paper ballots and open source software, computer hardware can be infected with malicious code to change how votes are counted. Random manual audits checking the computer counts against the original paper ballots are the last defense we have to protect against this.

This isn't just about San Francisco. California state government depends on all counties having secure elections.

There is only one week left. The California State Senate will likely vote on the bill this Monday, Sept. 11, and the Assembly could vote on it Wednesday or Thursday. Please contact your Assembly and Senate representatives and tell them to vote NO on AB 840. Our elections depend on it. For more details on how you can help, see this page: https://countedascast.org/stopab840/

More AB 840 Background

For people who want even more nitty-gritty details, here is more background: In terms of wording, the bill changes the 1% manual tally requirement from "ballots" to "ballots canvassed in the semifinal official canvass." What is the "semifinal official canvass" exactly? It is essentially the "election night" totals. In other words, if this bill passes, there will be no legal requirement that ballots counted after election day by computer be audited. All of these ballots will be exempted from the manual audit. For example, with this bill, malicious code could simply wait until Thursday to "turn on," and any vote tampering would go undetected. Also, even if registrars used their discretion to add more, it would be too late to be effective because the random selection will already have taken place! The malicious code could just "turn on" for precincts that weren't selected.

Why are Secretary of State Alex Padilla and the County Registrars pushing for this change? In 2016, a citizen sued San Diego County Registrar Michael Vu for not including all ballots in the audit. The judge ruled that late vote-by-mail ballots had to be included in the audit, so the citizen won. You can read more in this newspaper article about it.

The case is now being appealed. Now, instead of helping counties like San Diego fix their practices and come up with a process to include all ballots, they're trying to weaken the law and remove the requirement. In other words, Vu's past practices would become legal with the change. That is what the AB 840 changes are about. It would make the case against Vu moot. It would also protect other county registrars that choose not to include all their ballots in the audit, instead of protecting voters' ballots and elections.

Here are a couple other recent online pieces about AB 840:


The text of this article was written and provided to the OSI by Chris Jerdonek

Image credit: "SFUpdate.png" is a derivative of "Solitude", 2011, by Mortimer62, via Flickr, and used with permission under Attribution-ShareAlike 2.0 Generic (CC BY-SA 2.0). "