The “Top to Bottom” reviews by the California Secretary of State have been released. I have scanned the reports and they are very interesting, especially the usability report. The usability report raises some great issues with the design of both voting machines and the stands that are used to present the machines to voters. It has great photos and really does a nice job making a case that the current technologies need to meet specific standards for usability.
The reports find attacks that are similar to the attacks that have been identified previously related to electronic voting machines. These attacks are obviously problematic and it will be interesting to see if the industry takes these threats seriously in future designs (or provides some improvement to existing customers).
However, the reports also look very incomplete in that there were no discussions or scenarios that I saw of attacks on optical scanners, ballot boxes, ballots, or other aspects of the paper ballot voting process. This is not surprising in that the Red Team’s contained no individuals who were not computer scientists but they did not seem to replicate their physical attack scenarios on the optical scan systems. Obviously, though, it raises a question as to whether all voting systems were given equal scrutiny.
Also, what is truly funny is that there was no evaluation of the biggest voting system in California: the postal (vote-by-mail) system for absentee voters. Consider the plethora of attacks absentee voting systems raise; man in the middle attacks, no secret ballots, coercion, ballot theft, stealing returned ballots, wrongly disqualifying ballots, tampering with accepted ballots. There was no consideration given for how to determine the security of absentee voting. We know from research we have done that absentee voting is not easy; a relatively sizable number of individuals do not return their ballots (by choice? by fate of a conspiracy?) and that, even for those who do return their ballots, some will not have them counted because voters make errors on absentee ballots, like not signing them or returning them late.
Given that fewer and fewer Californians vote in person on election day, having a top-to-bottom review of absentee voting would seem a no brainer. Someone might ask the Secretary of State why this was not a part of the analysis.