 Hi. So I'm glad to be able to join you all today. My name is Steve Newell. I'm from the American Association for the Advancement of Science, which is the world's largest multidisciplinary scientific society, where I'm project director at the Center for Scientific Evidence and Public Issues, usually referred to as the EPI Center. The EPI Center works to provide accurate, concise, and actionable scientific information to everyone from policymakers to parents to help ensure that science is a part of the decision-making process. Election Security has been one of our major initiatives since founding of the Center. I'm sure many of you are already familiar with it, but Susan Greenhall is currently a senior advisor on election security at Free Speech for People. He's well known in the election security space for tireless work advocating for secure election protocols, paper ballot voting systems, and post-election audits. Susan and I are here today to talk about leveraging electronic ballot options safely and securely during the COVID-19 pandemic. This presentation is based on a white paper with additional detail on these issues that will also be available. As I'm sure all of you here are well aware, COVID has scrambled existing policies and procedures in every area of the country, and election security is of course no exception. COVID has provided additional challenge to ensuring election security and ballot access during this critical time. Currently, five states vote primarily by mail. However, during the past few months, we've seen states across the country working to scale up their vote by mail options and capabilities as we head toward the November elections. These steps have taken a variety of different forms between states. For example, an emergency executive order in Delaware includes a measure that allows voters concerned about COVID to qualify as sick or physically disabled, allowing them to vote absentee. Just to make sure the evidence is known, researchers have found that universal vote by mail has no impact on partisan turnout or vote share. So vote by mail is really a non-partisan solution to ballot access concerns. Work by Amber McReynolds and Charles Stewart highlighted 204 cases of absentee ballot-related fraud in a quarter of a billion votes cast over the past two decades. As is the case across the election space, fraud is exceedingly rare with vote by mail. Alongside this expansion of vote by mail, states are examining various solutions for remote voting, such as remote accessible ballot marking, which allows voters to receive, and if necessary, mark their ballots electronically before printing the ballot and returning it to their local office. Uokava was expanded significantly in 2009 when Congress passed the MOVE Act to provide greater protections for service members, their families, and other overseas citizens. Among other provisions, the MOVE Act requires states to transmit boldly requested absentee ballots to Uokava voters no later than 45 days before a federal election. However, remote accessible ballot marking is also essential for individuals with disabilities or those who encounter barriers to marking a paper ballot by hand. We know that there is still a disability gap in voting with roughly 5% lower turnout in the 2018 midterm election, equivalent to roughly 2.4 million votes from individuals with disabilities, according to research by the Rutgers School of Management and Labor Relations. So we know that there's an ongoing equity gap in ballot access, which is essential to address. Further, electronic ballot delivery can help fill in the gaps from when traditional mail and voting is either not possible or appropriate. However, it's important to remember that electronic return of March ballots is an incredibly risky endeavor. The National Academy is warned against it in its 2018 systematic review of voting security. Also in 2018, our report Susan co-authored with the Common Cause Education Fund, the R Street Institute and the U.S. Technology Policy Committee of the Association for Computing Machinery provided additional warnings against internet voting. In April, from the EpiCenter, we sent an open letter to state voting officials signed by more than 70 internet pioneers, scientists, security experts, and voting groups urging those officials not to allow electronic return of March ballots. Due to the scientific evidence demonstrating these votes cannot be secured. Importantly, there is no way to conduct a valid audit of the results due to the lack of meaningful voter verified paper records for electronically returned to March ballots. In May, the Department of Homeland Security, the Federal Bureau of Investigation, the National Institute of Standards and Technology, and the U.S. Election Assistance Commission shared similar guidance at going these concerns. Even with the tools and applications available, this activity is still high risk. To be clear to the state, there's still no known technology that can secure electronic ballot return. So with that background, this brings us to remote ballot markings. Specifically, what factors should election officials keep in mind about these systems? Particularly in terms of safeguarding voters' privacy and security. At this point, I'll go ahead and hand things off to Susan to tell you a little more about these systems. Thank you, Steve. And I just have to say it's great to be presenting here at DEFCON, but it's certainly bittersweet to not be able to be in Las Vegas with everybody and at the voting village and seeing all the great work firsthand. So I'm really pleased to be able to present what Steve and I have worked on together with this paper and the findings, even though it's unfortunate that we're not actually there in person. And I just want to preface this by saying that this paper is really geared towards all the election officials that are participating more and more in DEFCON. We're trying to highlight some of the known security and privacy risks of these systems and how election officials can become aware of them and then make choices to mitigate those risks. So back into the presentation, as we're seeing these states expand their vote by mail options, it's really important that there also be an option for disabled voters to mark a ballot privately and independently if they're choosing vote by mail and that they have assistive technology if they need it. So what we're seeing is that there are several systems available in the commercial market which will deliver a blank ballot to the voter in line and then allow the voter to mark that ballot using the assistive tech that they're familiar with on their own device, print the ballot for the voter to return either by mail or a dropbox. So we're not talking about online voting here. We're talking about a way to assistively mark that paper ballot, but what we're seeing is that there's architecture, even though you might assume that it doesn't do this, that actually sends the vote choices back over the internet. The devil is in the details and the way these systems are designed and created. Many of the commercially available systems keep all of the information resident on a remote server so that each time the voter makes the selections on their own computer, that vote choice is transmitted back to the remote server. Now that remote server has already identified who the voter is because they've had to authenticate the voter when the ballot was pulled up and given to the voter. So this creates a set of records on that remote server of both the voter's identity and their vote selections which now can enable all sorts of secrecy and privacy of vulnerabilities or compromises if anyone gains access to that server, either the state, the vendor or somebody who compromises it remotely. Furthermore, each time those vote choices are going back and forth over the internet, they're vulnerable to eavesdropping and spyware. So it's really not advisable from a security and privacy standpoint. And even if that remote ballot marking system isn't designed to send these vote choices back over the internet, the ballot secrecy and the vote choice secrecy can still be compromised when marked online. So we really want to minimize the number of voters that are marking their ballots online to minimize these security risks because those vote selections are going to be recorded in temporarily, temporarily in memory on the on the voter's device as well as their printer. And for these reasons we want to highlight that issue and encourage election officials to speak to vendors and require that the system zero out the vote data upon closing the application when they're making these systems. Furthermore, voters should be encouraged to mark their ballots on their own devices if at all possible and to not use their work computers or any publicly available computers, which could also invite other opportunities for secrecy violations. Furthermore, it's also always important to know that there's a risk that the ballot marking system might not report the votes correctly. There can be bugs, there can be malware. For these reasons, voters should always be instructed that if they can to mark the ballot by hand to mitigate these privacy and integrity risks. And if they need to use the accessible technology and mark the ballot by their device, that they should always be encouraged to check the vote choices carefully and election officials are encouraged to disable the barcode feature on the ballot marking system and remake the ballots directly from the voter selection so that you don't have any issues that maybe the barcode is is reporting vote correct vote choices incorrectly. This issue has been looked at years ago by National Institute of Standards and Technology and the Center for Civic Design, which does a lot of work with voters with disabilities and providing accessibility. Both have provided clear recommendations that any remote accessible ballot marking system should not transmit the vote choices back over the internet to remote server and they should be designed so that all the vote data remains local to the voter's computer in a stateless state, I guess. It's important to note that the accessibility of these remote accessible ballot marking devices isn't not impacted by the configuration in either way, meaning you're not giving up any accessibility to provide a more secure and private remote accessible ballot marking system that keeps all the information local to the voter's computer. So there's no advantage to introducing these security and privacy risks. It's only upside to to to look for these devices that make these that that are right here to this design best practice. So California is a good state to look at that looked at these issues and put the policy into practice. In 2012 in California it was moving to largely a vote by mail state. It wanted to make sure that there was accessible remote ballot marking options looked at these recommendations from NIST and others and passed a law that prohibited the use of any remote ballot marking device that or system that transmitted the vote choices over the internet. And as a result they have certified three systems that are currently commercially available and that meet this design best practice. So their system is out there right now today that can be adopted and and will protect the voter's secrecy. So just to to give a quick summary of what we've just covered, state should be encouraged to adopt offline accessible remote ballot marking systems for all voters as they expect or for voters that need it that may need it when expanding vote by mail. The voters should also be instructed to carefully check printed ballots for errors. States should be required states should require the vendors to offer systems that delete vote choices from all the memory when the application is closed. Voters should be encouraged to avoid using networked or public devices if possible and election officials should consider disabling the barcode feature and remaking ballots directly from the voters choices. So now we're going to look at the risks of online blank ballot delivery and I'm turning it back over to Steve. Thanks Susan. So as Susan mentioned how do we minimize risk with online blank ballot delivery? The National Academy's report in 2018 described online blank ballot delivery as acceptable and the recent DHS guidance described it as low risk. However it's important to remember that low risk is not no risk. So the risk with blank ballot delivery systems are those that would impact the integrity and or availability of the ballots such as altering or removing vote choices. Some electronic ballot delivery systems perform functions to verify a voter's identity before presenting them their assigned ballot. The identification process can use personal identifying information such as name and driver's license number or biometrics. While when this verification is improperly configured remote electronic ballot delivery systems can present additional privacy risk such as the loss or theft of the voter's personal and or biometric identity information. Voters who have had their information stolen or harvested previously could have their ballots at risk especially automated attacks. Speed and efficiency of automated attacks can increase the impact of these attacks considerably. Further many ballot scanners cannot read ballots printed from voters home printers because the paper weight and size are incompatible. So vote so the voter selections must be hand copied onto traditional paper ballot stock that can be read by those scanners. This can be a time and resource consuming process the burdens already limited election staff and volunteers. The copying process also presents a potential source of inaccuracy as even an incredibly low copying error rate could impact elections if the volume of copied ballots is sufficiently high. Importantly the original returned ballots should be kept for auditing purposes. Finally this might also create a health risk for election workers who are typically directed to sit in pairs in order to prevent manipulation or fraud. Without transparent oversight or strict security protocols this process introduces opportunities for error or tampering. So here I'll go ahead and turn things back over Susan to go through some of the best practices and recommendations to keep in mind as officials prepare for the upcoming election. Thanks Steve. So we're just going to summarize the takeaways. We urge election officials to follow the best practices of NIST to only adopt and certify remote accessible ballot marking systems that can find the vote selections data to the voters devices and remove the choices from all memory when the application is closed. To limit the use of electronic ballot delivery only to the voters that can't get a mailed pre-printed ballot so that you're limiting the risks of that online blank ballot delivery that Steve just talked about or limited to voters that may need an electronic ballot to mark the ballot with a remote accessible system. To urge election officials to make printing the blank ballot the default default action of any ballot downloaded to encourage the voters to fill out the blank ballot with a pen before mailing it. We also encourage voters who must use a accessible remote ballot marking system to use their own personal devices networks and printers if at all possible rather than others infrastructure unless they may have some privacy concerns at home. Recommend that no voter should ever enter vote choices into device that's connected to the internet and maybe we skipped over that but it's ideal that the device should be disconnected from the internet once the ballot is downloaded when the marking process is being executed. Instruct voters who do not mark their ballot with a computer or device to care I'm sorry who do mark their ballot with a computer device to carefully check and verify that their vote choices were recorded correctly. To election officials we also encourage that they them to disable the barcode feature and to remake the ballots directly from the voter selections retain that original ballot and use the human readable part for all audits and recounts so that you have the original record of voter intent when doing an audit or recount not from the remade ballot and consider electronically delivered ballots to be at higher risk for unauthorized duplication and consider authentication of the voter's identity and eligibility when looking at those ballots. So I think we can wrap up with that. Any final words Steve? No I think he covered it all Susan. Great thank you all so much. It was great to be able to present this information. The paper is on both of our websites if you're looking to to get more information and thank you very much. Thank you all. Hope to see you in Vegas next year.