USPS Files Patent for Voting System Combining Mail and Blockchain
by Vipin Bharathan   /  Sep 20, 2020

“United States Patent and Trademark Office (USPTO) published a patent application filed by the USPS. The patent claims that a combination of the security of the blockchain and the mail service provides a reliable voting system. A registered voter receives a QR code by mail. A separation of voter identification and votes to ensure voter anonymity is the principal feature of the solution. The votes are stored on a blockchain attested by election officials. Obviously, this patent is too late to be developed and deployed for this election. That this patent has been filed by the USPS must surprise a lot of US citizens. The USPS has been in the news lately, for a number of reasons.

The USPS is not known for innovation, as it is not evident at the local level. The visible infrastructure of mailboxes, PO Boxes, the postal counter itself, stamps and the post-person trundling a mail cart could be part of the American scene a century or more ago. To manage fast delivery of mail and packages, a modern logistics company operates behind the scenes of the USPS. Fast sorting machines, processes to cope with even the most dire natural disasters, airplanes, software to manage processes, tracking and tracing. Clerks in a sleepy rural post office as well as those in a ramshackle urban one are backed up by this machinery.

The battle cry of the small government crowd has been: defund the post office! Congress has made demands on the USPS that does not make sense for any business, the most onerous being the requirement to fund pensions for the next 50 years. The USPS is a deliberately weakened institution, hardly able to function in normal circumstances, much less during the most demanding election in years, with projected increased mail-in voting because of dangers posed by in-person voting. In the United States, elections are administered and run locally,. The election machinery and process is truly decentralized, there are about 9000 local electoral offices. Elections in local areas reference federal, state, county, local municipalities and other institutions on the same ballot.

The ballots themselves are very localized. Election machinery is financed locally. In contrast there are about 34,000 post offices, all with local roots but administered federally. In order to prevent skulduggery at the local level, election systems processes and security procedures are in place. Before votes are cast, proper voter registration which ensures that all who have a right to vote are allowed to register to vote. The principle of voter registration itself brings in a certain amount of friction into the process, many people do not even bother to register to vote affecting participation rates. Voter registration which is how local electoral lists are maintained have been digitized through the creation of databases. Hand written lists and typed ledgers are a thing of the past.

The other elements of the election system are voting systems, tabulation systems, election result reporting and auditing systems. The integrity of the election system is dependent on the integrity of each of these systems and the way in which they flow into each other. The requirements of the election system are the following: the vote is anonymous, coercion should be impossible, only eligible voters should be allowed to vote, it should be easy to vote, all legitimate votes have to be rapidly tabulated to announce results, rapid auditable recounts should be possible. Some of these principles are in opposition, for example anonymity and the principle that you should be able to check that your vote was tabulated.

Some of them go hand in hand, for example anonymity and resistance to coercion. The problems of representative democracy include low participation rates and influencing the populace through misinformation. State actors do not have to attack the election system to influence the outcome. The frictionless and unchecked spread of misinformation through digital means is a major threat. In addition, voter suppression is seen as a legitimate tactic in the electoral process. These problems are ostensibly beyond a technical solution, even though technology is what exacerbates them. Most studies of election systems do not address these elephants in the room.

Most academics and election officials who study elections and electoral processes in order to secure the sanctity of the process are skeptical of technology solutions, especially for casting and tabulating votes. The recommendations of a study published by the National Academies Press rule against internet or mobile voting. All elements of casting, tabulating and announcing results should include paper ballots. They recommend that the security and integrity of registration databases be routinely examined by election registrars.

Some of these recommendations, although well-intentioned are difficult to follow. For example, the security and integrity of local voter registration databases connected to the internet cannot be strengthened with guidelines. Local officials require concrete assistance in constant monitoring and protection of these systems. The report was published in 2018, these experts had not banked on the pandemic as a major source of anxiety for in-person voting. Local registrars are also underfunded and poll workers are aging, more than 40% of them are above the age of 60. The nuts and bolts of an election system is much more than technical, but technology plays an important part.

Paper ballots and mail-in voting were new technology at some point; elections have come a long way from potsherds. In addition, technology is woven into voter registration systems, ballot creation and dissemination, tabulation through scanning. The casting of ballots themselves are analog processes, in-person voting or through mail-in ballots. In the midst of a pandemic, the USPS is the only trusted national agency capable of managing non-in person voting at scale. The US Postal Service has done this for many years and is part of the election infrastructure of the US. Mail-in and absentee ballots which use the same infrastructure has been a part of the election system for many years. The challenges and scale are very different this year.

As with all patents, it attempts to be overly broad, enumerating every permutation and combination of the storage of election templates, votes cast, tabulating them , certifying the results and auditing are laid out. The main element, twinning USPS mail and blockchain and other databases with a mobile voting component is the main claim. Reading the patent, it is not clear whether the voter identification and the ballots themselves are completely dissociated with no linking data to ensure anonymity. Paper backups, verifiable by the voters themselves are also a requirement for auditability. It is not clear from the patent how this requirement is met. Election experts and technology practitioners and theorists need to work together to secure the sanctity of democracy. It is too much to ask for perhaps, but maybe a shared sense of purpose should bind us all. The USPS is a natural institution to develop, test and deploy a solution.”

U.S. Postal Service Counters Trump Attacks On Mail-In Voting With A New Blockchain Patent
by Jason Brett  /  Aug 13, 2020

“As news of Trump trying to shut down the United States Postal Service (USPS) and stall mail-in voting captures the headlines, the U.S. Patent and Trademark Office today made public a patent application from the USPS titled ‘Secure Voting System’ that describes using blockchain technology to secure mail-in voting. The application is reported as filed on February 7, 2020, and the invention is described as, “A voting system that can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot information in an election. The system separates voter identification and votes to ensure vote anonymity, and stores votes on a distributed ledger in a blockchain.”

Chief among Trumps’s complaints against mail-in voting are doubts about whether or not the person whose name is on the ballot actually cast the vote, and whether or not the ballot was tampered with after it was sent. In both instances blockchain offers tantalizing possible solutions. Blockchain identity services are already being widely developed and by moving the vote to a shared, distributed ledger, the votes would transmit almost instantly, drastically reducing the ballot’s vulnerability to tampering. The Postal Service had no comment at the time of publication.

“One of several images illustrating the patent application by the U.S. Postal Service to use blockchain technology that would secure mail-in votes.”

The patent application provides a number of illustrations as to how blockchain technology would secure voting, including the one above. The USPS says in the patent, “Voters generally wish to be able to vote for elected officials or on other issues in a manner that is convenient and secure. Further, those holding elections wish to be able to ensure that election results have not been tampered with and that the results actually correspond to the votes that were cast. In some embodiments, a blockchain allows the tracking of the various types of necessary data in a way that is secure and allows others to easily confirm that data has not been altered”.

“U.S. Postal Service’s OIG explored blockchain applications in 2016 with a report. Applications include identity services and supply chain management.”

Paul Madsen, Technical Lead at Hedera Hashgraph, a distributed ledger technology invented by Dr. Leemon Baird, commented on the application by the USPS by noting, “Blockchains, or more generally Distributed Ledger Technologies (DLTs), fundamental value is that they can provide to a community with potentially adversarial members a trusted and shared view of data without relying on some single provider to control that data. To do so, they first allow the community to come to consensus or agreement on the order of transactions that change the data.”

Madsen explained these functions could be useful for recording votes in the election, explaining, “Both functions could be useful for recording the votes in an election – as proposed by this USPS patent. The votes of individual voters would be recorded, either on the blockchain or effectively timestamped and then recorded elsewhere – and so both help to mitigate the risk of double voting, or vote manipulation as well as give the voter confidence through transparency of the process.” Madsen makes clear that, “blockchains are no magic bullet for voting platforms,” and identifies the identity verification as the more critical component, something which he indicated the patent also acknowledges.

Blockchain technology was utilized at the Utah Republican Convention as well as in Arizona to send delegates to the Republican National Convention after each State decided to hold their conventions remotely. The technology was used in the 2018 West Virginia elections for absentee ballots of overseas military; however, a report by MIT showed potential vulnerabilities of the vendor software. The USPS Office of Inspector General (OIG) encouraged the Post Office to start looking at the benefits of blockchain technology back in 2016. Four key use cases for blockchain outlined in a report (image below) were 1) Financial Management, 2) Device Management, 3) Identity Services, and 4) Supply Chain Management. Identity services, an area the USPS could prove to be very strong on for some time, would play a critical role in securing mail-in voting by blockchain technology as well.

References to patent filings by the USPS are also made in a 2017 report by the Department of Homeland Security (DHS). The DHS report indicates that, “as of September 2017, the USPS filed a patent to implement a ‘digital trust architecture’ made up of a ‘user account enrollment and verification component’ based on user identity information; a ‘key provisioning component configured to generate a public and private key for the user account;’ a user email component for signing the email with a private key; a data access component for accessing sensitive data; and, a blockchain component for adding the records to the blockchain”. The Postal Service is not alone in exploring the benefits of blockchain technology when it comes to voting – the U.S. Senate’s Permanent Select Committee on Investigations issued a report earlier this year that recommended blockchain technology for potential use in votes by Congress.”

DHS chief calls on all 50 states to have ‘verifiable’ ballots by 2020 election
by Olivia Beavers / 08/22/18

“Homeland Security Secretary Kirstjen Nielsen on Wednesday called on election officials in all 50 states to ensure that ballots used during the 2020 presidential election are able to be audited. Nielsen told a group of reporters touring the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., that she wants “all state and local election officials to make certain that by the 2020 presidential election, every American votes on a verifiable and auditable ballot.”

“Our systems must be resilient. We must be able to demonstrate that the votes count and that they are counted correctly,” she added. Nielsen listed three ways states could audit their ballots: By using paper ballots, machines that print out an individual’s vote so it can be verified that the machine correctly tabulated their choice, or using machines that send a duplication transmission when someone votes.

The DHS chief indicated that she will not direct states on what method to use, but said states should maintain a system of verifiable ballots in order to ensure trust in the election system. “I don’t know if we are interested in mandating how, I am just interesting in making sure each state can explain to their citizens what they have done to verify the vote count,” she said.

The DHS chief emphasized that the Trump administration is “working with election officials in all 50 states,” having “frequent and frank” dialogue with election officials and pushing to identify and help manage risks. The remarks about verifying ballots comes amid heightened fears of foreign adversaries seeking to interfere in future U.S. elections, including the November midterms. Nielsen maintained that the U.S. is “better positioned” to combat cyber threats than at any previous point, but said “more can and should be done.”

Christopher Krebs, who serves as the head of DHS’s cyber office known as National Protection and Programs Directorate (NPPD), noted that there is an “ongoing Russian effort to sow discord and divisiveness.” The remarks from the top DHS officials comes just days after several technology companies announced malicious cyber activity by foreign adversaries.”

DHS cyber agency invests in election auditing tool to secure 2020 elections
by Maggie Miller / 11/21/19

The Department of Homeland Security’s (DHS) cybersecurity agency announced Thursday it would partner with election officials and private sector groups to develop an election auditing tool that can be used to help ensure the accuracy of votes in 2020.

DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is partnering with non-profit group VotingWorks on an open-source software tool known as Arlo, which is provided to state and local election officials for free. According to CISA, Arlo conducts an audit of votes by selecting how many ballots and which ballots to audit and comparing the audited votes to the original count.

The tool has already been used to conduct post-election audits across the country, including during the recent 2019 elections. Election officials in Pennsylvania, Michigan, Virginia, Ohio and Georgia have signed on to partner with CISA on Arlo, with more officials expected to join. “Heading into 2020, we’re exploring all possible ways that we can support state and local election officials while also ensuring that Americans across the country can confidently cast their votes,” CISA Director Christopher Krebs said in a statement. Krebs added that “At a time when we know foreign actors are attempting to interfere and cast doubt on our democratic processes, it’s incredibly important elections are secure, resilient, and transparent.”

Use of post-election audits have been widely recommended by experts as a major step to secure elections, particularly in the wake of attempted Russian interference in 2016. The use of audits was a step recommended by the Senate Intelligence Committee to secure elections in volume one of its bipartisan report on Russian interference efforts in 2016. “Statistically sound audits may be the simplest and most direct way to ensure confidence in the integrity of the vote,” the committee wrote. “States should begin to implement audits of election results.”

Open-Source Vote-Auditing Software
by Stacey Higginbotham  /  17 Sep 2020

“Election experts were already concerned about the security and accuracy of the 2020 U.S. presidential election. Now, with the ongoing COVID-19 pandemic and the new risk it creates for in-person voting—not to mention the debate about whether mail-in ballots lead to voter fraud—the amount of anxiety around the 2020 election is unprecedented. “Elections are massively complicated, and they are run by the most OCD individuals, who are process oriented and love color coding,” says Monica Childers, a product manager with the nonprofit organization VotingWorks. “And in a massively complex system, the more you change things, especially at the last minute, the more you introduce the potential for chaos.” But that’s just what election officials are being forced to do.

Most of the conversation around election security focuses on the security of voting machines and preventing interference. But it’s equally important to prove that ballots were correctly counted. If a party or candidate cries foul, states will have to audit their votes to prove there were no miscounts. VotingWorks has built an open-source vote-auditing software tool called Arlo, and the organization has teamed up with the U.S. Cybersecurity and Infrastructure Security Agency to help states adopt the tool. Arlo helps election officials conduct a risk-limiting audit, which ensures that the reported results match the actual results. And because it’s open source, all aspects of the software are available for inspection.

There are actually several ways to audit votes. You’re probably most familiar with recounts, a process dictated by law that orders a complete recounting of ballots if an election is very close. But full recounts are rare. More often, election officials will audit the ballots tabulated by a single machine, or verify the ballots cast in a few precincts. However, those techniques don’t give a representative sample of how an entire state may have voted. This is where a risk-limiting audit excels. The audit takes a random sample of the ballots from across the area undergoing the audit and outlines precisely how the officials should proceed. This includes giving explicit instructions for choosing the ballots at random (pick the fourth box on shelf A and then select the 44th ballot down, for example). It also explains how to document a “chain of custody” for the selected ballots so that it’s clear which auditors handled which ballots.

The random-number generator that Arlo uses to select the ballots is published online. Anyone can use the tool to select the same ballots to audit and compare their results. The software provides the data-entry system for the teams of auditors entering the ballot results. Arlo will also indicate how likely it is that the entire election was reported correctly. The technology may not be fancy, but the documentation and attention to a replicable process is. And that’s most important for validating the results of a contested election.

Arlo has been tested in elections in Michigan, Ohio, Pennsylvania, and a few other states. The software isn’t the only way a state or election official can conduct a risk-limiting audit, but it does make the process easier. Childers says Colorado took almost 10 years to set up risk-limiting audits. VotingWorks has been using Arlo and its staff to help several states set up these processes, which has taken less than a year. The upcoming U.S. election is dominated by partisanship, but risk-limiting audits have been embraced by both parties. So far, it seems everyone agrees that if your vote gets counted, the government needs to count it correctly.”

Inventor of auditing process used by the state is skeptical
by Timothy Pratt  /  11/20/20

“This week, thousands of Georgians sat at tables in rooms large and small across the state’s 159 counties and counted nearly 5 million paper ballots by hand, in what officials called a statewide audit of the general election outcome. Though the process ended by confirming President-elect Joe Biden’s lead, certified by the state on Friday, expert observers across the nation familiar with the state and its history with election technology looked on, feeling what one described as “horrified.” These observers included computer scientists, cybersecurity analysts, an adviser to Congress on election integrity, and the statistician who invented the method of auditing elections that Georgia Secretary of State Brad Raffensperger said the state was carrying out. Their reactions to the noble efforts of exhausted election workers were not, they underlined, due to evidence of wrongdoing, or fraud, or challenges to the election’s legitimacy. Their concerns owed to the process being used, what state officials were calling it, and what this could mean for future attempts to build public trust in election results—including on January 5, when voters in Georgia will once again be in the national spotlight, as a special election decides the balance of power in the US Senate.

The series of events leading to the “audit” began with a flurry of attacks leveled at Raffensperger from within the GOP, launched not even a week after Election Day, urging everything from his resignation to a complete hand recount of all ballots from the November 3 election. In a surprise move, Raffensperger announced on November 11 that he would order the count. He used what Gregory Miller, chief operating officer of OSET Institute, a nonprofit organization that researches and develops election technology, called “pretzel logic.” The state was obligated by law to perform a “risk-limiting audit”—a means of determining accuracy by counting a random sample chosen according to mathematical formulas. The technique has been tried in a small but growing number of states in recent years, and the National Academies of Sciences, Engineering, and Medicine concluded in a 2018 report that all states “should mandate risk-limiting audits.” But Raffensperger decided to forgo choosing a sample of ballots, insisting instead that counting all of the nearly 5 million ballots by hand, in less than a week, would be necessary to fulfill the obligation.

Georgia came to the idea of conducting risk-limiting audits last year, after US District Judge Amy Totenberg ordered the state to overhaul its entire election system because of outdated technology plagued by computing vulnerabilities. The state is one of only a handful that uses the same system statewide, whereas most states use a patchwork of voting methods; in addition, the voting machines then in use did not print out paper ballots. But as state officials debated how to comply with the judge’s order, experts urged the state to abandon digital voting altogether, to adopt voting by hand-marked paper ballots, and to follow up elections with risk-limiting audits. The latter received the imprimatur of the National Academies for a reason. For decades, many states have performed audits by hand-counting ballots in a fixed percentage of precincts. But a fixed percentage “may not provide adequate assurance with regard to the outcome of a close election,” according to the 2018 report. Risk-limiting audits, on the other hand, examine “randomly selected paper ballots until sufficient statistical assurance is obtained,” as the report’s authors wrote. The so-called risk limit refers to the largest possible chance that the audit will not correct an inaccurate result. For example, a 10 percent risk limit means an audit has a 90 percent chance of identifying the correct result of an election. The formulas underpinning the audit determine how many ballots will need to counted to reach that limit.

In the end, Georgia lawmakers decided to ignore most expert advice, and spent $107 million on a new computerized voting system, including voting machines that print out paper ballots—the object of this week’s count. They did, however, agree to carry out a version of risk-limiting audits, with the guidance of a nonprofit organization called Voting Works. Raffensperger’s surprise announcement claimed that the race was so close that mathematical formulas suggested that up to 1.5 million ballots would need to be randomly pulled, and that counting all 5 million by hand would be easier. This appeared to satisfy GOP critics, while also complying with state law regarding risk-limiting audits. One problem: State law also doesn’t allow for changing the election outcome based on the audit results. The secretary of state called it “an audit, recount and recanvass, all at once.” The issue, Miller noted in a widely read essay, was that each of these concepts has a different definition, and different legal and technical implications. (A recount, for example, is conducted by scanners, not by hand.) Philip B. Stark, the University of California–Berkeley statistics professor widely recognized as the creator of risk-limiting audits, called the state’s decision a “FrankenCount” in an e-mail. “Part of me is delighted that the idea has caught on,” he added in a call. “Part of me is horrified—they’re misrepresenting what it can do.”

Stark told me that a risk-limiting audit, to be effective, must have “trustworthy ballots.” This means, among other things, that each county would have canvassed its results, and ensured that the number of ballots tallied before uploading results to the state matched the number of voters who turned up at the polls. This would have avoided the “discovery” of thousands of ballots in several counties during the hand count that had not been included in statewide results. In the current climate, this has added fuel to allegations of wrongdoing—even though it didn’t change the election’s outcome. After all was said and done, Biden was still the winner, by 12,284 votes—less than 500 votes different from the tally compiled by machine. Stark also questioned Raffensperger’s claim regarding the necessary sample size, which Voting Works had estimated at 1.5 million. Stark said a risk-limiting audit “could have been done with 2,500 ballots, according to my methods and my calculations.” On-the-ground observers of the count included Harri Hursti, an election cybersecurity expert who has studied elections in five countries, including the United States. “This whole thing was originally called a risk-limiting audit, then a hand recount, then an audit—I don’t know what it is; I don’t think anyone else knows,” he said. Hursti noted that he had looked at the software being used to manage the hand count, an easy thing to do, given that Voting Works uses open-source code. He had seen more than a dozen changes to the code since the count began—a security concern, he said, since no entity had approved the original software or the changes.

Hursti also noted that staffers and volunteers in different counties—and sometimes in the same county—were following different procedures for counting the ballots. “Hand recounts only work when people are trained in and apply consistent methodologies,” said Richard DeMillo, computer science professor and interim chairman of the School of Cybersecurity and Privacy at Georgia Tech. “You could look at live feeds [of the hand count] and see that this is not the case.” As Miller wrote in his essay, “Audits must be sufficiently well-organized and rigorous that they do not potentially risk becoming yet another ‘political football’ for partisans to argue over; the whole point of a post-election audit is to produce clear evidence that reduces uncertainty—not to give politicians a fresh set of new ‘irregularities’ to argue about.” By Tuesday, the state appeared to have done a legal analysis of its effort; Gabriel Sterling, the state’s voting system manager, announced that the hand count would not in any way change the election’s results, for legal reasons. “What was the exercise about?” asked Marilyn Marks in response. Marks is executive director of the Coalition for Good Governance, an organization whose ongoing lawsuit against the state led to Judge Totenberg’s 2019 order. “Why take a week to do this, at a high cost and exposing so many workers to Covid?” Calls and e-mails requesting comment from the secretary of state, Sterling, and Voting Works were not returned. On Thursday evening, with the hand count done, a federal judge denied a petition by attorney L. Lin Wood for a temporary restraining order on the state’s certifying its election results, which took place Friday. After certification, President Trump can legally ask for a recount, which again means tallying up all votes by scanner.

In the end, the path Georgia has taken is a loss for the concept of a genuine risk-limiting audit, said Miller. “This may not matter—except to those who want to preserve risk-limiting audits as an important means of trusting the vote,” he said. “On January 5, we will undoubtedly see incredibly close races—with attendant calls for recounts.… Will they apply regulations to ensure verification, accuracy and, ideally, transparent elections—or will it fuel the same sort of distractions they’re seeing now?”

Blockchain Voting Can Work, Both Republican And Democrats Use Voatz
by Robert Anzalone / Sep 30, 2020

“Since last April, Voatz, a blockchain-designed voting service, has been successful in its public trials. But some skeptics doubt an electronic voting system would work and be secure. Both Democrats and Republicans have used this service to administer local elections with success. Nimit Sawhney, CEO of Voatz, believes it is time for the critics to take another look and test his system.

Voatz was used in May by the Arizona Republicans for their state convention. Voatz was used again in June for the South Dakota Republican State Convention and for Michigan’s Democratic State Convention in August. In each case, the service was a success and made the election safe given Covid’s gathering recommendations. Lavora Barnes, the Chair of the Michigan Democratic Party, agreed to use Voatz for the Michigan Democratic Convention. This election also included nominations for the State’s Supreme Court.

Barnes said, “My focus was on how to manage and validate everyone’s credentials attending this convention. Getting everyone credentialed is a huge challenge.” Barnes explained that Michigan’s Democratic Conventions are open to anyone who registered in the past 30 days before the event. When asked about other electronic voting systems, Barnes said, “Other systems did not offer both credentialing people and voting services. We needed a system that could identify an individual and their vote. Voatz provided voting data and the ability to track results. Voatz was able to show that the math was correct, and everyone could see tallies reported correctly.” Sawhney said, “Every county in every state can design its own paper ballot. If every ballot can be different, it is difficult to enforce technology standards.” He stated that Voatz wants to double down on a push for ballot standards in 2021.

Voatz is not without controversy. In February, MIT News published a severe critique about the application that expressed security concerns about the Company’s platform. In the report, MIT points to hackers’ potential to stop, alter, and take advantage of how an individual user has voted. MIT’s research was mentioned across press sources, like the Associated Press, The Boston Globe, Wired, CoinDesk and others. Consequently, West Virginia Primary dropped Voatz and went with a paper-ballot system for voters who could not make it to the polls.

Sawhney said, “The MIT report omitted facts and draws a false conclusion.” He went on to explain that the analysis based its findings on a version of their platform that was old and not used in the West Virginia election; the mobile application, which the report was based on, was not connected to a live environment and could not pass layers of established security protection; and MIT’s researcher team assumed how Voatz’s architecture worked. MIT has not yet responded to a request for comment. Regardless of what readers think about blockchain technology, it is clear that future generations will refer to our upcoming national election system when designing new ways to cast ballots.”