2020/07/12

Start School Virtual, Go Physical When Feasible

Update 6/2/2023: I was right.

These are my observations for our local conditions (Santa Clara County, July 10-12, 2020), which to summarize:

Observations


  1. There are still many unknowns and new information is arriving every day.

  2. Local conditions are critical.  This includes both the local prevalence and virus trends, and the school community’s needs and risks.  General statements need to be evaluated to see how they are applicable to local conditions.

  3. Research about both the educational impact of the virus, and distance learning, seems to indicate significant differences between younger children (<~12yo, cutoff) and older (>~12yo).  Specifically:

    1. Younger children appear to transmit the virus significantly less than adults. We don’t know as much about teenagers.  Both young children and teenagers can be infected asymptomatically, and are more likely to be asymptomatic than adults.

    2. Teenagers are “more similar to adults” in their response to the virus, per the SCC guidance.

    3. Younger children can much more easily move to a small-stable-cohort model with a single teacher, without educational loss, than teenagers can.  Teenager learning requirements are different and the varied and differentiated learning model is not very compatible with a single teacher/stable cohort model.

    4. Younger children require childcare, teenagers require much less.  The child care function of the elementary schools, which, let’s be realistic, is driving a lot of the physical re-opening urgency, is not a major issue for high school students.

  4. It’s a surprising apparent result that COVID is transmitted by children much less than the flu. This needs more research, and it seems quite possible new information might bring new guidance or nuances important for school safety.  (Also, I haven’t seen any discussion about how a cold and flu season overlaid with COVID might impact transmissibility, which seems like it could be a concern.)

  5. It is pretty clear that children can acquire the virus without much difficulty, the only real questions are around how much risk they face when they do (to date, not as much in terms of fatality rate, but long term studies don’t exist) and whether they transmit to others (as Dr. Cody said, we don’t know yet).

  6. The risks to teachers are possibly substantial, especially if the transmission hypothesis is wrong.  Many teachers are in high risk categories.  Even the hypothesis is right, think about the multiplied risk of a non-small-cohort based teacher coming in contact with 60-120 students every day, even mediated by masks, inside air conditioned rooms.  (A small risk multiplied by a large number becomes a large risk.)  This is also a risk to students, of course.  And even if a teacher is “just” out for 28 days of isolation, where will a subject-trained, in-person substitute come from?

  7. Schools with in-person socially distanced learning are not going to be educationally equivalent to “regular” school, in my opinion (see also opinion of a 5th grade teacher for that environment).  Teachers won’t be able to walk around and check in on students, students won’t be able to collaborate in hands-on projects or discuss things in small groups in person nearly as well.  So we should be realistic about the options in front of us.

  8. Schools do not currently have the capacity (space or teachers) to have all students come back to school at the same time.  Most likely ½ to ⅓ of the student body at most can be physically on campus at once.  This, obviously, plays havoc with differentiated learning schedules and means that no matter what there is going to be virtual learning going on in the mix -- so, we’d better all get really good at it.

  9. The pandemic isn’t a 6 month thing; we are more likely going to be dealing with this for the entire school year, and, possibly, the next year.  We should plan accordingly.

  10. There’s one month until the planned school start date.  We have very little time to plan and execute on that plan, and this is the point where we should triage and attempt to hit our most important target fully before moving on to second priorities.  If we try to plan for too many contingencies at once, we risk failing at them all.

My Opinion

For at least secondary (middle & high) schools: "Start School Virtual, Go Physical When Feasible"


We should plan on the best possible virtual classroom to start with and make sure we have everything we need before the start of school, 4 weeks away.  This also needs to include in-person safety plans for some groups who absolutely cannot be served by virtual classrooms.


While that plan runs, we start planning for a phased-in physical re-opening.  Whether that’s a different schedule, a partial (1d/week), a different schedule for classes, priority meetings, or something else needs to be worked out.  The metrics and decision trees we need to use for deciding things safe for various stages, and how to move back and forth, must be well defined.


At this point, I would feel far more comfortable if the SCC guidance for surveillance testing of teachers once per month were extended to testing the entire school community at least once or twice per week.  Because any cases among students are likely to be asymptomatic, symptom based surveillance is unlikely to catch problems until after the virus has spread substantially.  Experts recommend this measure and it’s what several other countries are doing -- and the others have much lower community transmission than we do.  The costs at the moment are substantial, but there are several ways to reduce the costs per person.  We should explore them, and having time to do that is another reason to push this back.

References

SCC County Guidance (Jul 2), Announcement, Q&A .  At https://youtu.be/P36GN01dovY?t=1486 Dr. Cody says “In this country, we don’t know yet” about how much children are contributing to the pandemic and how much re-opening will affect it, and that guidelines may change as the science changes.


Leaked CDC July 8, 2020 briefing document outlining guidance and risks for schools: https://int.nyt.com/data/documenthelper/7072-school-reopening-packet/b70172f2cc13c9cf0e6a/optimized/full.pdf#page=1 (note: no discussions about transmission via normal aerosols from breathing, which is an area of active research; nor of HVAC systems that might play a role in indoor transmission.)

Metrics

https://covidactnow.org/us/ca/county/santa_clara_county?s=647107 -- Tracks Rt and other metrics over time, recommended by Harvard Global Health institute to help guide decision making by local authorities.

International & College School Re-Openings

How schools across the globe are reopening amid the coronavirus pandemic

Harvard will allow some students on campus this fall so long as they take coronavirus tests every 3 days  

Harvard, Princeton roll out plans for fall amid Trump pressure to reopen 

'Not Safe': Georgia Tech Faculty Fight Back Against In-Person Classes This Fall 

Here is the new return plan for South African schools 


Studies

Preliminary / In progress

Culture-Competent SARS-CoV-2 in Nasopharynx of Symptomatic Neonates, Children, and Adolescents -- Shows no laboratory evidence of lower infectiousness in children (no difference in viral load / shedding) vs. adults.  To be published in October.


An analysis of SARS-CoV-2 viral load by patient age -- in-progress work tentatively indicating ~37% of under-18 COVID patients appear potentially infectious per lab tests vs. 51% of adults (not a huge difference).


Published


Prevalence of Asymptomatic SARS-CoV-2 Infection: A Narrative Review: Annals of Internal Medicine: Vol 0, No 0 


Prevalence of SARS-CoV-2 in Spain (ENE-COVID): a nationwide, population-based seroepidemiological study (teenagers & 30yo similar in seroprevalence, young children lower). 


Guidance

Coronavirus and Schools - Novel Coronavirus (COVID-19) - County of Santa Clara (Guidance)

 

Key Metrics for COVID Suppression (Harvard) Summary: A  6 page document from Harvard Global Health Institute.  Relevant to translating public health data (e.g., case counts, deaths) into risk levels and action items for public health agencies and other authorities.  While no local agency has adopted this to my knowledge, they haven’t adopted anything comparable, and this seems like a good framework for decision making.

Anthony Fauci: ‘We are living in the perfect storm’

Public Health On Call: 110 - What Do Colleges and Universities Need to Consider to Safely Reopen in the Fall During COVID-19? 

Individual Experts

Perspective | The case against reopening schools during the pandemic — by a fifth-grade teacher (7/10/2020) 


An evidence summary of Paediatric COVID-19 literature -- Jul 10, 2020 rapid review of current evidence and recent updates. 


Top Pediatrician Says States Shouldn't Force Schools To Reopen If Virus Is Surging 


Aerosol transmission: https://twitter.com/quicktake/status/1281467223245295616?s=12 

400 questions from educators: Reopening Schools in NJ- Educator Concerns 

Jul 8, 2020: GA Educators say local data should drive reopening decisions for our schools


Denmark's Rt has gone from 0.6 to 0.9 after school re openings, below 1, but need vigilance (https://www.thelocal.dk/20200430/reopening-denmark-has-increased-rate-of-infection-spread-ssu)  

239 Experts With One Big Claim: The Coronavirus Is Airborne 


Jul 2 new-updates thread on children in schools by UK pediatric infectious disease researcher (survey) includes:

  • The Australia study of 18 confirmed cases (heavily referenced elsewhere as well)

  • The French high school w/660 kids with >14y having high antibodies (exposure)

  • French Primary school with 3 kids in school, no evidence of transmission

  • Ireland: 3 kids/3 teachers, no asymptomatic testing, no in-school transmission detected

  • Singapore: 3 cases w/asymptomatic close contacts tested, all negative (12yo, 5yo, 16 staff)

  • “almost no controversy that children’s safety is not the concern from being in school” (though this is looking only at death rates)

  • Data from Sweden doesn’t show increased risk for high school teachers (of course, Sweden is a bit of a mess generally: https://t.co/mB3HyVp2SF?amp=1)

  • Israel had trouble with outbreaks from secondary schools (high schools)

  • With low community transmission, many countries have schools up and running with few if any issues so far (Spain, Netherlands, SA)

  • Recommends prioritizing school openings over bars and restaurants (because everything contributes to risk->community transmission->need to lock down again)


Why AAP Guidelines Are Pushing for Schools to Reopen This Fall 


CT Bergstrom: "My view is that we should be using school / workplace testing for as many people as possible, ideally at least twice a week." 


(Economist) Paul Romer: Reopening Schools , FAQs on Virus Tests In Schools 


Covid-19, children, and schools: 6 reopening questions, answered by a doctor (health screening and testing as a prerequisites). 

News

Coronavirus: Missouri Summer Camp Closes After 82 COVID-19 Cases 


Texas day care coronavirus risks unclear as state limits information 


37 out of 429 student-athletes/coaches/staff test positive for COVID at UNC Chapel Hill 


Santa Clara County meeting that exposed 40 principals to coronavirus raises red flags 


Explainer: Do children spread COVID-19?  Risks as schools consider reopening. 


Israel school epidemic after school re-opening, Over 20 more schools closed as Israel sees largest daily virus rise in a month 


Duration of exposure to COVID-19 increases risk of infection  


Coronavirus: 45% of asymptomatic patients may have lung damage (A new study from Scripps Research in La Jolla, California, found that among 76 asymptomatic coronavirus patients on the Diamond Princess, 54% had lung damage indicated on CT scan)  


The medical case for reopening schools. (Jul 1)


Research Shows Students Falling Months Behind During Virus Disruptions [NB: The data set at https://tracktherecovery.org/, reference for the math losses in this article, appears to be using ZLearn math lessons as a proxy, which (a) is very noisy (b) applies only to elementary age students (c ) also shows _gains_ of up to 20% during lockdown in some places, such as NY and (d) shows gains for high income ZIP codes in CA, holding roughly steady for middle and low income ZIP codes.  Ignore the big “drop” in June, which is the start of summer vacation.]


Reopening Bars Is Easy. Schools Are Difficult. (Atlantic) 


Reopening Is a Psychological Morass (Atlantic) 


https://www.elcaminohealth.org/newsroom/information-from-el-camino-health-regarding-novel-coronavirus-covid-19#districttesting 

 

Why the U.S. still hasn't solved its testing crisis 


A COVID-19 outbreak on UW’s Greek Row hints at how hard it may be to open colleges this fall


How Covid-19 can damage the brain


Guest opinion: The risk of returning to the classroom in the fall


Opinion | Coronavirus Testing the Cheap, Simple Way (Future paper strip tests)   


https://www.mv-voice.com/news/2020/07/02/what-californias-budget-deal-means-for-k-12-schools?utm_source=express-2020-07-02&utm_medium=email&utm_campaign=express  


Scientists doubt Floyd protests led to COVID-19 spikes | McClatchy Washington Bureau -- Some evidence that outdoor gatherings are safer than indoor.


Fraternity parties lead to 47 new coronavirus cases at UC Berkeley




2020/03/12

COVID-19: Evaluating School Closures

I'm getting increasingly concerned that many Santa Clara County public schools are continuing normal operations when -- based on available evidence -- they should be suspending in-person classes.

The communication from my local school districts, MVWSD and MVLA, is roughly the same:
In the event of potential school closure: The Public Health Department currently is not recommending closing schools. If a staff member or student in a specific school is confirmed to have COVID-19, the Public Health Department will consider, based on the specific facts and circumstances of that case, whether closure of that school is warranted.
The problem with this:

  • We already know there is community transmission in the local area;
  • Patients presenting symptoms of COVID-19 are unable to get tested without meeting additional criteria (known contacts, foreign travel, etc.);
  • Therefore, absence of people "confirmed to have COVID-19" isn't evidence of much of anything, and not something to base critical safety decisions on. 
I've checked with a local ER physician who, as of Monday night, had 2 patients presenting symptoms, but who could not get the patients tested and did not know when they would be tested.   That's consistent with local and national reporting on the availability of testing, which is still very limited.  There's simply a capacity issue -- we cannot test everyone physicians want to screen, yet.

Also, the school sizes greatly exceed the (new) 250 person cap on large gatherings from Governor Newsom's latest orders.  While those orders explicitly carve out schools to be treated differently from other large gatherings -- I'm having a pretty hard time seeing how we can say that, say, a conference of 300 people should be cancelled, but a school of over 2,000 kids should remain open, based purely on public health criteria.

So, the official guidelines for shutting down public schools seems to still be catching up to the facts on the ground.  We have 48 confirmed cases in Santa Clara County, many in the local area, so clearly there is community transmission happening here.  We do not have the ability to screen people to see if we should trigger the current shutdown criteria.  So, I'm calling to ignore those criteria based on that evidence and to suspend in-person classes in the local schools with community transmission in the area.

Other local educational organizations appear to agree with this.  Local colleges and universities have suspended in-person classes. At least one local private high school has announced suspension of in-person classes until Mar 10. I  do not believe any of these are of these are based on the Health Department guidelines or specific cases -- they're evaluating the overall situation and risk.

I'd love to be wrong, but for today & tomorrow, out of an abundance of caution, I'm keeping my kids home from school.

(There's also a petition going around to suspend classes at MVHS: https://www.change.org/p/mvla-school-district-halt-in-person-classes-at-mvhs.)

Update:  The reasoning provided by the Santa Clara County Health Department in a Nextdoor post is:

The reason we are not recommending school closures at this time is because children have not been shown to be a high-risk group for serious illness from this virus. Some children have underlying health conditions, such as weakened immune systems, that put them at higher risk. Caregivers of children with underlying health conditions should consult with healthcare providers about whether their children should stay home from school.
Many students also rely on schools and staff for basic needs, including regular meals, health care, and child care. If schools shut down, vulnerable families are at a higher risk of being negatively impacted. 
Another factor to consider is that closing schools may unintentionally impact our health care community and our collective response to COVID-19. There may be parents of students who are working as health care providers or in the health field on the front lines of the COVID-19 response. If schools close, parents may not be able to work and provide support to those who need it.

I agree the children without underlying health conditions aren't at high risk; that's not my major concern here -- it's amplifying the community transmission of the virus in a major way by failing to shut down our biggest group event, public schools.  The concerns about vulnerable families being at risk due to lack of meals, health care, and child are are definitely valid issues, but ones the school needs to have made contingency plans for weeks back.  We do not need to continue in-person classes to maintain those services.

Update: After I wrote the above, I checked the Mercury News and saw this op-ed from a team of doctors.  It reaches the conclusion that school closures are inevitable and suggests some good options for mitigating the impact: https://www.mercurynews.com/2020/03/12/opinion-doctors-call-for-school-closures-done-right/

Update 5pm 3/12: The elementary school district just sent this out:

* In the event of potential school closure, our Food and Nutrition Services Department will utilize the district's food truck to serve meals to children under the age of 18 near Castro Elementary/Gabriela Mistral Elementary campus, as part of the Seamless Summer program
* We are in the process of creating grade-level packets with student work for use through spring break. The District will provide information to families on how they can access packets beginning Wednesday, March 18. These packets are designed to reinforce concepts already taught. Additionally, parents and students can log onto Clever.com for online learning resources like i-Ready, Khan Academy, Zearn, etc. This is not a replacement for classroom instruction.
Absences: The Santa Clara County Office of Education and County of Santa Clara Department of Health continue the guidance that students who are well continue to attend school. We understand that families can still make a choice to keep their children at home during this time, and we want to honor that choice. For the next few weeks, we will not be taking any truancy action or dis-enrolling students accruing unexcused absences. 
The decision-making process for potential school closure is that we continue to assess the situation on an almost-daily basis with the County of Santa Clara Department of Health and Santa Clara County Office of Education. The possibility of school closure is more imminent as districts and organizations around the area close in an attempt to curtail the potential spread of the virus. It is wise that families now prepare plans for child care. We will continue to update you and will provide any details as soon as we have them. 

Links:
https://www.fast.ai/2020/03/09/coronavirus/
https://www.wired.com/story/singapore-was-ready-for-covid-19-other-countries-take-note/

2020/01/24

Things People Have Been Impeached For In the Past

Just a few things to bear in mind when considering what counts as "high crimes and misdemeanors".  Read this list, and, however vague you might think the boundary to be, consider just how far beyond the following lines the President's alleged conduct has brought us:
  1. Acting "contrary to the duty of his trust and station as a Senator of the United States" [Blount, 1797]
  2. Acting as a judge "in a state of total intoxication, produced by the free and intemperate use of intoxicating liquors" [Pickering, 1804]
  3. On numerous occasions, "with a loud voice, certain intemperate, inflammatory, and scandalous harangues, and did therein utter loud threats and bitter menaces ... against Congress [and] the laws of the United States duly enacted thereby, amid the cries, jeers and laughter of the multitudes then assembled and within bearing" [Johnson, 1868]
  4. Because his "personal habits unfitted him for the judicial office . . . and that his sobriety would be the exception and not the rule." [Delahay, 1873]
  5. "[B]ringing the Judiciary into disrepute" [Archbald, 1913, Article XIII, convicted and removed]
Photo of Archbald
I can't believe I was removed for "bringing the Judiciary into disrepute" but y'all are gonna keep Trump.
If "[B]ringing the Judiciary into disrepute" is a lower bound for impeachment & removal, we passed that lower bound several miles ago.  And all of this is precedent over 100 years old, so it should be no surprise to Donald John Trump.

References:

https://www.senate.gov/artandhistory/history/common/expulsion_cases/Blount_expulsion.htm
https://networks.h-net.org/node/950/reviews/1062/rotter-melton-first-impeachment-constitutions-framers-and-case-senator
https://constitutionallawreporter.com/2017/04/04/john-pickering-federal-judge-impeachment/
https://history.house.gov/Exhibitions-and-Publications/Johnson-Impeachment/Building-the-Case-for-Impeachment/
https://en.wikipedia.org/wiki/Mark_W._Delahay
https://en.wikipedia.org/wiki/Robert_Wodrow_Archbald


2020/01/21

Why VSAP 2.0 Should Not Be Certified

Text of my letter to the California Secretary of State office with public commentary on the proposed certification of the LA County VSAP 2.0 system's universal-use Ballot Marking Devices.


Dear Secretary of State Padilla,

I write to provide my comments on the VSAP 2.0 evaluation and certification process for LA County.  I have reviewed the written reports and corresponded with Dean Logan, RR/CC for LA County, to try to resolve open questions about the system and the process.  I have several open questions remaining, but with the deadline upon us I will give the feedback I can with the information I have. If I have interpreted anything incorrectly, please let me know, and please understand that I have done everything I can with the time allowed to gather information and form opinions

Background

I am a software engineer (B.S. Computer Science, M.S., Computer and Information Sciences).  I have worked as a software engineer in the industry for 30 years. I have ordinary skill in the art with various standards and technologies for data storage, distributed computing, and security for online and offline systems.  I am not a security specialist but have worked extensively with such specialists in building large scale consumer systems. I have also worked as an election clerk in Santa Clara County and am familiar with the processes and systems used in that county.

General

I have been happy to hear that LA County has been working to create a system that is fully owned by the public, not by a vendor. The flexibility and potential ability to re-use this system in other counties is very promising. At the same time, I have concerns about this system that I ask to be considered both in certifying it for 2020 and going forward in LA County and elsewhere.  They primarily involve the security of ballot marking devices and how those impact the assurances of Risk Limiting Audits (RLAs).

Universal Ballot Marking Devices Are an Unnecessary Security Risk

For security reasons, and because it is not a necessary requirement for the improvements incorporated in VSAP 2.0, I strongly object to the requirement for universal use of ballot marking devices (BMDs) for in-person voting.  I am basing this on the reporting that “Starting with the presidential primary, every in-person L.A. voter must use a ballot marking device”  While voters still have the option of hand marked paper ballots for mail-in ballots, this is not available to in-person voters.  The only option for voters wishing to opt for a hand marked paper ballot is to request a pre-printed ballot by Feb 25:

"Pre-printed ballots will not be available at vote centers," Logan said, adding that voters who want to use pen and paper should request a mail-in ballot by Feb. 25. 

Mr. Logan claims that denying hand marked paper ballot options to in-person voters is because having that option “creates a separate but equal type of scenario.”.  He provides no evidence or argument to support that claim.  In addition, the fact that California does allow hand-marked paper ballots for voters who request them before Feb 25 undermines this argument -- if this were truly a “separate but equal” issue, why is it a non-issue for vote by mail voters?

On the other hand, there are strong security arguments for allowing voters to hand mark paper ballots.  Specifically, hand marked ballots are not vulnerable to an entire class of electronic attacks against ballot marking devices (which the VSAP 2.0 BMD clearly belongs). We have recent experimental evidence that voters do not effectively verify BMD printed ballots without very specific training and real time prompts in the polling place -- none of which is in place for the March 2020 elections.

In addition, the VSAP 2.0 system may potentially be vulnerable to a variant of the attack Andrew Appel termed “permission to cheat”, because it includes a print head in the paper scanning path for ballots, potentially allowing marks to be added to ballots even if the voter visually verified them first.  (This was not evaluated by the security report below).

Allowing voters to use hand marked paper ballots, in conjunction with Risk Limiting Audits, mitigates this entire class of attacks and is a recommended practice among a large group of security experts.  Matthew Blaze, testifying before the House Administration Committee earlier this month, made this point clearly:

BMD-based voting systems are controversial, since, by virtue of their design, the correctness of their behavior cannot be effectively audited except by individual voters carefully verifying their machine-printed ballots before they are cast. A maliciously compromised BMD could subtly mismark candidate selections on ballots in a way that might not be noticed by most voters and that could undetectably change election outcomes. Furthermore, if BMDs fail or must be rebooted at a polling place, there may be no alternative method for voters to create marked ballots, making BMDs a potential bottleneck or single point of failure on election day.

As a relatively new technology, BMD-based systems have not yet been widely examined by independent researchers and have been largely absent from practical election security research studies. However, even with relatively little scrutiny, exploitable weaknesses and usability flaws have been found in these systems. This underscores the need for more comprehensive studies and for caution before these systems are purchased by local jurisdictions or widely deployed.

[Emphasis added.  Testimony by Matt Blaze before the House Administration Committee on Jan 9 2020, p 9; available at https://docs.house.gov/meetings/HA/HA00/20200109/110346/HHRG-116-HA00-Wstate-BlazeM-20200109-U1.pdf.]  This advice is in line with the recommendations of most other recommendations from security experts and takes into account the best practices of the field.

LA County, disregarding this advice, proposes to widely deploy VSAP 2.0 and to force all in-person voters to use the system.  It should not do this.

Specific Issues with the Certification Process

The Security Report Has Unresolved Findings

The “Security and Telecommunications Testing of the LA County VSAP 2.0 Voting System” (“Security report”) dated Dec 24, 2019 includes several detailed findings.  I will reproduce some of the key findings of concern here, as they are not reproduced fully in the Staff Report and recommendations.

The easily defeated locks and seals on all of the VSAP devices resulted in the system not conforming to CVSS 2.1.1.a, which provides that all systems shall “Provide security access controls that limit or detect access to critical system components to guard against loss of system integrity, availability, confidentiality, and accountability.” It also degrades the ability of the system to meet CVSS 7.3.a. which states, “Any unauthorized physical access shall leave physical evidence that an unauthorized event has taken place.”  [Security report, page 17].

Compounding the above, “Booting from a USB drive was not disabled on any of the systems. As such, gaining physical access to the machines allowed access to both the operating and application files for VBL, Tally and FormatOS.“ In addition,  “The cryptographic key material used to protect the integrity of elections was not encrypted. All cryptographic keys present were accessible in plaintext.“ and “This allowed secrets used to ensure election integrity to be recovered with only physical access to the system’s storage device.“ [Security report, page 18].

Mitigating this somewhat: “This attack could be conducted by an elections official insider or a vendor insider. A voter would not have sufficient access to the system to successfully complete the prerequisite defeat of physical security without leaving evidence of the attack.“  Even granting this (difficult to evaluate) it does indicate that the system is not secure against insider attacks without additional precautions.

The finding “High Dependency on Root Access” is also concerning:  “Root access is required for many regular operations in the VSAP system. These include, but are not limited to, updating cryptographic keys used to protect and verify the integrity of elections and voting information and performing regular system maintenance, including regular system shutdown and startup. This situation invariably leads to poor control of access to the root password which enables subsequent unauthorized access.” [Security report, page 20.]  Not conforming with CVSS 2.1.4.f and 7.2.1.b.

The Source Code Review Report Supports The Security Findings

The VSAP Source Code Review Report is relevant here as well, stating on page 91: “The system is airgapped—that is, not connected to the internet or connected to any other system that is connected to the internet. Air gap systems include  Ballot Marking Device Manager (BMG) Ballot Marking Device (BMD) VSAP Ballot Layout (VBL) Tally … Note: Unused hardware ports (i.e. USB ports) are protected by port locks and/or tamper evident seals with signaling residue to reveal modification and/or removal. The serialized tamper evident seals are manually logged with an operator signature, seal number, location, date and time. This is to prevent removal of authorized connections when the port is in use and to prevent the insertion of unauthorized connections when the port is not in use. This prevents any infected USB flash drive from crossing any air gap.”  However, per the Security report, this does not defend against an insider attack given the seals can be bypassed without detection with an insider’s access.

The Smartmatic response to the concerns involving an infected USB flash drive was (page 91): “A malicious trusted insider would likely attempt other avenues by which to subvert the voting system… At this late time in the Certification campaign, we do not see the ability to remediate the listed software vulnerabilities assuming any could be exploited and would serve as a valuable target.“

On page 93, highly secure key material is left open to all users of the operating system: “The CA certificate and key are stored in tmp and set to 777 file permissions. …”  The response indicates that this data is not necessary to the operation of the system and should have been removed as part of installation: “The documentation will be updated to instruct the installer user to delete all data from temp once the install is finished.”.  This does not inspire confidence.

The Usability of the System Is Not Yet Proven

While voters clearly enjoyed using the new system, and it may well be an improvement over the old electronic system, that does not mean it produces the correct results.

The “Usability, Accessibility and Privacy Testing” report may also have detected some reliability problems, though it is difficult to tell given the available data.  On page 7: “Long periods of silence made it seem as if the voting session was over” and on page 25, “Some voters noted that there were some long delays/pauses in the audio in varying parts of the ballot. This was confusing for the voter. and is also not in conformance with section 3.2.8.b, CVSS standards”.  This might indicate a problem that could become worse under load, making the system unusable for some voters and/or confusing for others.

There are other usability problems that are worth calling out because they are key to the claimed superiority of BMDs over hand marked paper ballots:  The system does not warn about overvotes.  

On page 26, there is the following finding re: CVSS 3.2.2.1 (emphasis added):

CVSS 3.2.2.1: Notification of Effect of Over voting - If the voter attempts to select more than the allowable number of choices within a contest on a VEBD or PCOS, the voting system shall notify the voter of the effect of this action before the ballot is cast and counted. 

When a voter attempts to over vote a race the BMD automatically cancels the first choice and accepts the second.

While this is a standard computer list selection UX and might be more familiar than other designs, it is definitely more susceptible to inadvertent touches changing the voter selection by accident than a system which warns and requires confirmation.  Without full usability testing it is impossible to say either way, but this clearly appears to violate CVSS 3.2.2.1.

Similarly, on page 26, we find a technical noncompliance that may lead to real election concerns and lawsuits:

3.2.7.a.: No page scrolling - Voting systems shall not require page scrolling by the voter.

Long candidate lists require the voter to scroll on BMDs

From other reporting it appears that “long” in this context might be “more than 3 candidates” (I am interpreting this finding as equating “scrolling” with the “next” button used to move to the next page of results, where the page size appears to be set to 3 at a time, leading to breaking up even rather small lists of candidates into small sub-sections.)  This also appears to violate CVSS 2.3.3.3.f per the Functional Test Report. Finally, this UI also appears to violate CVSS 3.2.5.e.i “The voting system shall visually present a single contest on a single page or column except where the number of choices in a contest makes it impossible.” 

The Functional Test Report’s Findings Remain Unaddressed

The “Functional Test Report” reflects a large number of findings, some of which are not noted in the staff report.  

On page 12, findings related to CVSS 2.1.1.a,  CVSS 2.1.4.f:, CVSS 7.2.1.a.i, CVSS 7.2.1.c “The excessive root access and the ability to boot the system from a USB port give access to the system by unauthorized individuals. Either scenario can result in undetected changes to files and data.”

The Red Team was able to gain access regardless of mitigations:

CVSS 7.5.4.b: “Threat model: failure - Voting systems shall fail open ended vulnerability testing if the manufacturer’s model of the system along with associated use procedures and security controls does not adequately mitigate all significant threats as described in the threat model. The OEVT team may use a threat model that has been amended based on their findings in accordance with 7.5.4.3.c.” 
The testers were able to gain access to the system regardless of mitigations

The Staff Report Does Not Address the Findings Yet  Recommends Adoption of a Non Compliant System

Finally, the “Staff Report” summarizes the findings and address them. However, it fails to address all of the findings.  I will focus only on some that appear to be unaddressed for no apparent reason.

On Page 15, Table 4a, it lists some but not all of the non-conformance findings I detailed above:


The problems with this table are:
  1. There is no information on how updated “processes and procedures” are going to address physical design issues with tamper evident seals.  How?
  2. “The county will apply port protectors” does not appear to be a new mitigation at all, since the ports were theoretically already protected by tamper-evident port blockers per the Source Code  Review Report (“Unused hardware ports (i.e. USB ports) are protected by port locks and/or tamper evident seals…”)  Thus, this is non responsive and the non conformance is unaddressed.
  3. The finding "Shared/Static Secrets" not conforming w/ CVSS 7.2.4.a is simply ignored.
  4. The finding "High Dependency on Root Access", not conforming w/CVSS 2.1.4.f,  CVSS 7.2.1.b, CVSS 7.2.4.a is also simply ignored.

The section “ Accessibility, Usability and Privacy Testing Summary” (page 16) similarly ignores a set of non conformance issues which appear to remain unaddressed anywhere; in particular, the only non conformance issue mentioned is the long period of silence (delay in audio output) with no mitigation or plan to address noted; none of the other non conformance issues listed earlier are noted or addressed.

Three California Elections Code Requirements Are Not Met by VSAP 2.0

Finally the Staff Report lists the sections of the Elections Code and claims that VSAP 2.0 meets all of the requirements.  I would take exception to the following:

§19101 (b) (3): The system shall be safe from fraud or manipulation.

The system has unaddressed conformance issues which show it has not yet met this requirement.

§19204.5: The Secretary of State shall not certify or conditionally approve a voting system that cannot facilitate the conduct of a ballot level comparison risk-limiting audit.
§19270 (a): The Secretary of State shall not certify or conditionally approve a direct recording electronic voting system unless the system includes an accessible voter verified paper audit trail.

The system produces ballots that cannot be said to be voter verified and therefore the fundamental requirement for a ballot level comparison risk-limiting audit (per Stark’s definition) cannot yet be met.

Per the above, I do not believe that the Staff Report should be accepted and the system certified for use in elections.  With modification, I believe it can be -- if we accept that it should not be used as a universal forced-BMD solution but as an optional mechanism for casting ballots for voters who prefer to use it.  That mode does not pose nearly as great a danger and mitigates the non conformance with §19101 (b) (3), §19204.5, and §19270 (a) of the Election Code of California.


Suspended by the Baby Boss at Twitter

Well!  I'm now suspended from Twitter for stating that Elon's jet was in London recently.  (It was flying in the air to Qatar at the...