New Jersey e-vote experiment after Sandy declared a disaster

NEWARK, N.J. — Five days after Hurricane Sandy demolished the Eastern Seaboard on Oct. 29, 2012, and left the state of New Jersey in particularly horrific disarray, an exhausted Christopher Durkin listened in on a conference call while sitting in his black 2010 Chevy Malibu, charging his cell phone outside his darkened, juice-less home.

Durkin was one of 21 county clerks who had been urged to join the hastily arranged call by Robert Giles, the state’s director of elections, who had promised an important announcement. Giles gave many of them a preview of what the coming days would be like, shortly before the lieutenant governor, Kim Guadagno, came on the line.

“Put your phones on mute,” he said, according to several clerks on the call. “The lieutenant governor will not entertain questions.” The week, no doubt, had been grueling for all. And it was about to get even more challenging.

Guadagno, in her dual role as the New Jersey secretary of state, spent her few minutes on the line rewriting the rules for the Nov. 6 general election, which was only three days away. She had, in those traumatic days after the storm, made a number of emergency changes to voting procedures. Because some 900 of the state’s 3,500 polling places had been destroyed or otherwise rendered unusable as of Friday, Nov. 2, clerks’ offices around the state were open for long hours all weekend to give residents a chance to vote in person using absentee ballots, a practice known in New Jersey as “vote by mail.”

Another option was for voters to visit any polling place on Election Day and vote in the federal races — president and U.S. Senate — via provisional ballots, which would be sent to their county and tallied if the local board of elections decided the voter was properly registered and hadn’t already cast a ballot. Similar measures were taken in New York and Connecticut, states that had also suffered major damage that made the coming election a logistical nightmare.

In that sense, then, the decision was declared a success, and the legal precedent has been unchallenged, with the important exception of a team at the Constitutional Rights Clinic at Rutgers Law School-Newark that spent the past 18 months following a public document trail to show what went wrong. The team, led by law professor Penny Venetis, is now in possession of thousands of ballots cast that year, as well as the secrecy waivers that were required to use the e-voting “system.”

“There was mass confusion among county officials and voters alike,” concludes the 83-page report, “The Perfect Storm: Voting in New Jersey in the Wake of Superstorm Sandy.” “Emergency measures such as Internet and fax voting not only violated New Jersey law, but also left votes vulnerable to online hacking. Internet voting should never be permitted, especially in emergencies when governmental infrastructure is already compromised.”

The report will be officially released to the public on Monday, Oct. 27.

In many quarters, New Jersey’s actions were seen as heroic — storm-battered election officials, themselves living in hotels and separated from their families, working tirelessly to come up with ways for people to vote. Despite the turmoil, in fact, statewide turnout clocked in at 62.6 percent, slightly lower than a normal presidential election for New Jersey but above the national average of 58.7 percent for the 2012 general. The League of Women Voters created a sympathetic 20-minute video showing traumatized residents taking solace in being able to do one normal thing — vote. Guadagno declined interview requests and referred Al Jazeera to Giles, the state's election director. But she referenced e-voting as part of her success, several clerks said.

Giles says the estimated number of 50,000-plus votes shows that the e-voting was a success: “It shows that the system works, in that you can deliver ballots, and you can get ballots returned via email.”

To others, most notably cybersecurity experts who loudly pleaded at the time for Guadagno not to go forward with the plan, it was a disaster that could portend other similar messes.

“Really? They say it went well? Really?” asks Ed Felten, director of Princeton University’s Center for Information Technology Policy, in an office that features an electronic voting machine hacked by his students into a functioning Pac-Man arcade game.

“We don’t know how many of these votes were actually counted or shouldn’t have been counted versus lost, or how many people tried to use this system but were unable to get ballots,” says Felten, a foremost expert in the vulnerabilities of electronic voting both at polling stations and via the Internet. “We can’t measure it, but certainly there are indications of overflowing mailboxes, big backlogs and problems processing requests. So I don’t think you could conclude at all that this was a successful experiment.”

Or, as then-Morris County clerk Joan Bramhall said in the weeks that followed Nov. 6, “It was an election from hell.”

Here is how electronic voting was supposed to work in New Jersey after Sandy: Displaced voters had to download and print the applications for absentee ballots from their county’s websites, fill them out and email or fax them back. They could also call or fax in their requests for vote-by-mail applications and have them either emailed or faxed to them. They had until 5 p.m. on Election Day to send in applications and until 8 p.m. to return the completed ballots.

Each voter’s registration and predicament were to be verified by the clerk’s office — specifically, whether they were really displaced, or just taking advantage of the situation for convenience — before issuing the ballot. They would then fill out the ballot by hand along with a document originally created for military or overseas voters that surrenders the voter’s right to a secret ballot. Both documents needed to be returned to the email addresses or fax numbers provided, and then voters were to send those same original hard-copy documents via postal mail to the board of elections.

That last requirement, intended to guarantee the security and accuracy of the vote, is where things fell apart, according to the Rutgers report. Clerks not only decided at their discretion who was “displaced,’’ but they were also given such confusing directions that many ended up deciding on their own whether voters needed to return their paper ballots. In addition, no one ever followed up after the election to check if the emailed and faxed ballots had matching paper ballots that were mailed in.

In most counties, clerks dispersed full ballots with all the races that residents would normally get to vote on based on their home addresses. Essex County Clerk Christopher Durkin tried to keep it simple by providing only email or fax voters with ballots that included the presidential, Senate and U.S. House races — and still he estimates it took at least 10 minutes per ballot application for staffers to process.

“Multiply that by thousands of emails,” he says, “and it was just overwhelming. And there were also so many faxes! We had to find a Staples that was open to buy ink cartridges for the faxes that were shooting out all day and night.”

The cartoonish nature of the situation hit a low note after the Essex County email system crashed under the weight of the barrage of requests, and Durkin posted his own personal Hotmail address online late Sunday. The move quickly won derision online from hackers and some tech journalists — TechDirt.Com, for instance, ran an item under a snarky subtitle, “from the you’ve-absolutely-got-to-be-kidding-me dept” — but Durkin was in his office, blissfully unaware he was a punch line until his wife called.

“There’s a story out there that you gave your personal email out,” she said from her mother’s house in Morristown, where she stayed after the storm with their three toddlers while he was at a hotel in Newark, the county seat. “It says all you have to know is Chris Durkin’s mother’s maiden name to change your password and get into the account.” Durkin changed his Hotmail security question and answer after that call, and insists he was never hacked. Furthermore, his Hotmail account was used only to receive ballot requests, not to deliver any ballots.

The question of whether to return paper ballots came up repeatedly. Guadagno’s two-page post-Sandy directive didn’t mention the paper-ballot requirement, and some voters — including those in Middlesex, according to documents obtained by Rutgers — were told they didn’t need to turn them in.

That step exists to prevent hackers from easily intercepting email sent to a county address. Since the emailed votes comprise two documents, the waiver and the ballot, cybersecurity experts say it’s easy to replace the ballots with ones that show other vote choices. Unless voters mailed in their paper ballots to be compared, the board of elections would never know something was awry.

Shortly after 3 p.m. on the eve of Election Day, Giles did finally clarify the rules via email to clerks: “Please inform all displaced voters that a first-class mailing or equal of their emailed or faxed ballot will be sufficient.” By that point, however, thousands of voters had already requested, received and returned their ballots, in some cases under incorrect instructions.

In defending the choice, Giles noted in an interview that the decision was justified because the email and fax system already exists for military and overseas voters. “We weren’t creating new laws,” he says, noting that the directive to do this was vetted by a team of attorneys in the state AG’s office, none of whom was permitted to speak about the process. “We were expanding existing laws.’’

That “existing law” was already under fire from cybersecurity experts. Given how common a problem hacking has become among major corporations and government entities, they reason, the prospect that a county clerk’s system is secure enough to protect something as sensitive as voting is unlikely, said Bruce McConnell, who served until 2013 as the Department of Homeland Security’s top cybersecurity officer.

“The right to vote is the right that secures all our other rights, and there’s a high probability that somebody could change an election if the system is not secure,” McConnell said. “I have talked to no one who I have confidence in who thinks this is possible.”

The United States has a long history of considering, and then rejecting, the prospect of Internet voting for the masses. California tasked researchers at the Lawrence Livermore National Laboratory in 2000 to study the idea, and the scientists reported back that it could not be done safely. Four years later, a panel reported to the Department of Defense that it would take an overhaul of the Internet to build the right system.

Meanwhile, other nations have tried and continue to try. Norway abandoned its experiments with Internet voting earlier in June after years of attempts that included some small-scale uses in live elections, lead technologist Kristian Gjosteen explained at a workshop on electronic voting last August in San Diego, because glitches made it possible for voters to cast ballots more than once.

Still, the conversation is ongoing. This week, several small towns in Ontario Province, Canada, will offer e-voting despite decisions by others, including the cities of Edmonton and Toronto, to abandon similar plans, citing security concerns. Earlier this year, a Democratic committeeman briefly floated the notion of holding the 2016 Iowa caucuses online, an idea that the Democratic National Committee approved in 2008 as an option for state-run primaries but that has yet to be tried. In Utah in April, the legislature passed a law mandating that both overseas or military voters and voters with disabilities be given the ability to “register to vote and vote electronically.”

It’s not merely that the Internet is hard to secure, but that voting presents one special challenge that virtually no other activity online features: Total privacy.

“The secret ballot complicates everything,” says University of Michigan computer science professor J. Alex Halderman. “People say, ‘I can bank online, why can’t I vote online?’ But we don’t bank in secret. If you bank online, you can get a receipt. If you buy something from Amazon, you get a receipt, you get a credit card statement. It’s all verified with double-ledger accounts. You can watch that money move around at every step.”

Halderman is an absolutist — with good reason. In 2010, Washington, D.C., was weeks away from allowing residents to vote online in municipal primaries when it invited the public to test out the system in a mock election. Halderman and a gaggle of his best student hackers managed to break into the system in less than a day and alter votes. Nobody in the city government knew they had been there until trial voters complained about the weird music playing on the “thank you for voting” page. The students had set the system to play the Michigan fight song.

Washington promptly canceled its online system and never returned to it.

The question of who qualified as “displaced” was yet another complication — and an important reason some New Jerseyans received ballots and others didn’t. In Essex, Durkin said his office received about 40 requests for fax or email ballots from residents of a local nursing home but turned them down because they were not “displaced from their primary residence,” per Guadagno’s directive.  Camden County, according to a document obtained by Rutgers, granted “first responders” the ability to vote electronically.

Clerks repeatedly asked Giles, Guadagno and Assistant Attorney General Donna Kelly for clarification, according to documents obtained by Rutgers. On election eve, Burlington County Deputy Clerk Wade Hale sent an exasperated note to Giles calling the e-voting option “simply a nightmare turned upside down, then inside out and dropped in our laps.’’

The day after the Nov. 6 election, Gov. Christie touted the success of the e-voting measure, saying that problems were dealt with as they came up.

It was a peculiar statement, because the election, technically, wasn’t over yet. While the votes had been counted, the question of how many of the e-mailed or faxed ballots would be valid remained unanswered. Election officials, at least according to the law and Guadagno’s directives, were required to count electronically delivered ballots only if the voters had sent in their paper ballots, too.

More than 75 races were too close to call after Election Day. Yet for weeks, it was impossible for journalists to get an answer as to when or how the paper and electronic ballots would be reconciled.

The Rutgers documents show county officials openly admitting they disregarded this step. A Morris County official wrote in a letter to Venetis, of the Rutgers team, that hard copies of voted ballots “were not compared to faxed or email ballots for consistency of voting” and that “any ballot that was not received via hard copy … was counted.”

It may be impossible to tease out which races, if any, would have turned out differently had legions of votes been discarded for lack of the complementary paper ballots. In the immediate aftermath, with so much physical chaos in the state, almost nobody asked for recounts. Retired cop Rusty Chew, a 58-year-old first-time candidate for mayor of Cape May, was winning on Election Day but lost by 12 votes after the absentee votes were counted. He shrugged it off, returned that Friday to his post as a volunteer firefighter and spent the weekend bass fishing. Family and friends urged him to ask for a recount, but he says he “didn’t want to seem like a sore loser.” Also, he couldn’t imagine any reason why the votes would have been miscounted. “You just trust that these things are done on the up-and-up,” he says.

After any election, there is an almost instantaneous desire on the part of the electorate to accept the results and move on. Recounts, whether it’s the one in Florida in 2000 that lasted five weeks before the U.S. Supreme Court put a halt to it or the seven-month saga in Minnesota in the too-close-to-call 2008 race for Senate, can be a significant blow to confidence in election outcomes. In the long run, concerns about problems in long-settled elections are written off by most as the mutterings of conspiracy theorists.

Yet New Jersey after Sandy is instructive, Venetis and others say, because the same “system” continues to be used and, in fact, is being expanded even as security threats persist.

Military and overseas voters still surrender their secrecy to vote electronically, and the law remains vague as to whether those ballots and waivers are a matter of public record. Most clerks in New Jersey have interpreted this to mean that the ballots are exposed to one or maybe two county employees in the process of receiving them, printing them and feeding them into the optical scanner machine. Yet there is no statute that says that, and in fact the Rutgers team received boxes of completed and signed waivers and accompanying ballots from counties that fulfilled the open-records request for them.

Those waivers are strikingly sensitive documents, too. They require a voter’s full name, address, birth date, phone number, personal email address and Social Security number. In her report, Venetis notes that state law bars the transmission of someone’s “Social Security number over the Internet unless the connection is secure or the Social Security number is encrypted.”  In this way, Venetis asserts, “the state exposed voters’ Social Security numbers, birthdays and signatures to hackers.”

Beyond the fact that thousands of military and overseas voters continue to surrender that data, the security threat for displaced Sandy voters didn’t end after New Jersey’s vote tallies were certified. Unless every clerk deleted all of those emails and their attached documents after the election — and several said they weren’t sure — that cache of information remains for the taking.

“It’s likely the files are resident on systems that are pretty poorly protected,” McConnell, the former DHS cybersecurity expert, says. “I’d be concerned, sure. Given the rest of how this went, you’d have to be nuts not to be.”