Avi Rubin quotes Walter Mancuso, a Republican Chief Judge in the September 12 primary in Montgomery County, Maryland:
Approximately a week after the primary I received a telephone call from the Montgomery County Board of Elections inquiring as to why one of the eight touch screen voting machines that we used on election day had recorded no votes, even though 55 voters were logged onto the machine. Neither I nor the Democratic chief judge had any explanation. The person at the [Board of Elections (B of E)] told me that they would investigate, talk to Diebold, and get back to me. After a week I called the Board and asked what they had discovered. I was told that at 6:50 AM (prior to opening the polls) that particular touch screen machine had been rebooted, and the memory card had been removed and reinserted into the machine. I was told that removing the memory card activated a security feature of the touch screen unit, and thus nothing was recorded on the memory card. By the way, no error message was displayed to indicate that that machine had been tampered with and thus should not be used. When we accumulated the votes on the zero machine after the polls closed, that particular machine reported than no voters had used the machine during the election. Thus, prior to talking to Diebold we assumed that the 55 votes were lost.
Rubin notes:
Walter goes on to explain the the board of elections used the hard drive of the voting machine to recover the 55 missing votes.
So, according to this, there is a security feature that causes a machine with a memory card that is ejected and then reinserted to not record any votes on that memory card. I don’t understand what security threat this is designed to counter. Even if a rogue memory card is inserted, how does not recording votes on that card protect anything? Furthermore, this introduces a new risk. A malicious poll worker (i.e. a malicious person who decides to become a poll worker to disrupt the election) could insert and remove each memory card at the precinct during setup. If you believe the message from Walter Mancuso, that would cause none of the votes in that precinct to be recorded anywhere except on the hard drives of the voting machines.
These machines are a disaster waiting to happen.
Wow.
The e-poll books are supposed to be operated by tapping a small plastic stylus against the computer screens. The terminals are linked together and are used to register, among other things, whether a voter has shown up at the polls.
But during last month’s primary election, on occasion, one machine in a precinct would show voters as having cast ballots, while another would say they had not come to the polls.
To fix the problem, Diebold officials said yesterday the units could be operated with computer mouses and that they could provide the state with 5,500 of them in time for the general election. Or they could install new software and allow election judges to touch the screens.
During yesterday’s test inside the Marriott’s banquet hall, the mouses were in use. But one poll worker did not heed the warning to operate the equipment using only the mouse, causing the machine to lose contact with the five others it was linked to. It took less than 30 seconds to reboot the machine.
The inexplicable thing about this is that the Sun describes this as “a relatively smooth test.” But my question is: smooth compared with what? Paper ballots don’t have to be rebooted if someone touches them the wrong way. It’s not possible to vote twice with the same paper ballot. It may be the case that compared with previous Diebold tests, this one was relatively smooth, but compared with more traditional voting systems, Diebold’s machines are still an disaster waiting to happen.
Hat Tip: Techdirt
Rolling Stone has a provocative article speculating that Diebold may have stolen the 2002 election in Georgia for Republican candidates. According to one Diebold employee, the company secretly installed software patches on machines in Democratic areas of the state in the months before the 2002 election:
Diebold insists that the patch was installed “with the approval and oversight of the state.” But after the election, the Georgia secretary of state’s office submitted a “punch list” to Bob Urosevich of “issues and concerns related to the statewide voting system that we would like Diebold to address.” One of the items referenced was” Application/Implication of ‘0808’ Patch.” The state was seeking confirmation that the patch did not require that the system “be recertified at national and state level” as well as “verifiable analysis of overall impact of patch to the voting system.” In a separate letter, Secretary Cox asked Urosevich about Diebold’s use of substitute memory cards and defective equipment as well as widespread problems that caused machines to freeze up and improperly record votes. The state threatened to delay further payments to Diebold until “these punch list items will be corrected and completed.”
Continue reading →
As I write this, Ed Felten is testifying before the House Administration Committee on e-voting. He recommends better physical security features, a voter-verified paper audit trail, and greater involvement of computer security experts. These are all good recommendations. One recommendation he doesn’t make, unfortunately, is that we consider scrapping e-voting altogether.
If there’s one message that comes through most clearly in his testimony, it’s “get the details right.” The word “detail” appears on every single page of the written testimony, and in five distinct cases he stresses the importance of paying attention to the implementation details of the security measures he recommends. He stresses that security measures that sound good in the abstract will be useless or worse if they’re implemented poorly.
I think he’s right, but here’s the problem: I don’t see any reason to think that the political process will ever be able to get the details right. Politics proceeds by 30-second soundbites. Congress-critters are too busy to delve deeply into the minutia of voting machine design. And, frankly, the people who tend to volunteer to be poll workers are not, on average, very smart.
If you’ve got a policy proposal that depends on the political process getting a lot of complex technical details right, you should probably find a better proposal. Our political institutions should be as fault-tolerant as possible, so that even if a lot of people screw up, the system will still work.
Continue reading →
Yesterday I argued that computerized voting was dangerous because it makes the voting process more centralized and less transparent. Today I’ll argue that open source voting is clearly better than proprietary computerized voting, but that paper ballots is preferable to either.
Open source voting software doesn’t do a whole lot to address the centralization issue. True, the development of the software would be decentralized, but the process of manufacturing the machines and loading the software onto them would still likely be handled by a commercial company that would constitute a single point of failure. If someone at the manufacturing facility is unscrupulous, or if someone finds a vulnerability in the software or hardware, he’s going to be just as able to compromise a large number of open source machines as he would with closed-source ones.
As for transparency, open source voting machines clearly enhance transparency in the sense that more people are able to study and criticize the design of the voting software. And that would certainly enhance security. It’s widely accepted among security professionals that openness and peer review is the best way to ensure a system’s security. If Diebold made the source code to its voting machines publicly available, it’s certain that security experts would have long since pointed out those the flaws Felten discovered and Diebold (I hope) would have fixed them.
Continue reading →
A couple of weeks ago, Luis Villa had an excellent comment about the merits of open source voting. I had expressed the opinion that open source voting machines would be preferable to the status quo, but that the ideal outcome would be not to use computers in voting machines at all. Louis responded:
I think you’re discounting how corruptible the current system is, and focusing only on what the current generation of e-voting machines do or don’t do, security-wise. Well done e-voting (particularly including the printing of a reliable paper trail) could be much more reliable than the current mishmash of paper technologies, which as any resident of Florida, Ohio, or Chicago will tell you is deeply insecure already.
This is a good point. Paper ballots clearly aren’t perfect, and so when we’re evaluating the merits of computerized voting, it’s important not to hold them to a standard of perfection that’s not attainable with any technology. But I still think we’d be better off dispensing with computers entirely, as I’ll explain below the fold.
Continue reading →
Techdirt is reporting that Maryland Governor Erlich has come out against the use of electronic voting machines in this year’s elections. I agree with Mike:
The rationale for keeping the machines also leaves us scratching our heads: “We paid millions. These are state-of-the-art machines.” Two responses: The evidence is pretty clear that these are not state of the art machines. They’re badly made, with ridiculously weak security, and a company behind them that bullies its critics, blatantly misleads in its responses to security problems and cracks jokes about their weak security when confronted. Therefore, it really doesn’t matter how many millions you spent on them, the machines are a problem. The Senate President also accused Ehrlich of simply using this issue as a political ploy to rally his supporters. By the way, for those of you who want to believe e-voting is simply a big Republican conspiracy (based on some offhand remarks by Diebold’s former chief), we should note that Ehrlich (who wants to scrap the machine) is a Republican, and the folks who want to keep the machines are Democrats. So, once again, we’ll note that this is not a partisan issue. It’s an issue about having secure, fair and accurate voting.
Quite so. Computers are very useful for a wide variety of tasks, but merely putting a computer in something does not make it “state of the art.” These are defective voting machines, they put the integrity of the election at risk, and so they shouldn’t be used no matter how many bells and whistles they might have. Hopefully Erlich’s announcement will be the start of a trend.
Ed Felten has responded to Diebold’s criticism of his paper. Felten emphasizes that the most interesting thing about Diebold’s response is what they don’t say. They cite a lot of supposed security measures–tamper-evident seals, encryption, digital signatures, etc–but at no point in the response does Diebold specifically claim that any of those measures actually would have prevented the attacks Felten describes in his paper. Diebold waves their arms a lot in the hope you won’t notice this. But the bottom line is that Diebold has given us no reason to believe that the vulnerabilities documented in the paper have been corrected.
OK, this will be the last voting machine post for the week, but I couldn’t help plugging Avi Rubin’s new blog, which was pointed out to me by Mike Masnick. In particular, Rubin has a chilling account of his experiences as an election judge. He describes how two of the machines didn’t have the right security tags, and so they were set aside. However, later in the day, facing high turnout, they got a call from the elections board telling them to put those machines back into service. And there’s more:
Throughout the early part of the day, there was a Diebold representative at our precinct. When I was setting up the poll books, he came over to “help”, and I ended up explaining to him why I had to hook the ethernet cables into a hub instead of directly into all the machines (not to mention the fact that there were not enough ports on the machines to do it that way). The next few times we had problems, the judges would call him over, and then he called me over to help. After a while, I asked him how long he had been working for Diebold because he didn’t seem to know anything about the equipment, and he said, “one day.” I said, “You mean they hired you yesterday?” And he replied, “yes, I had 6 hours of training yesterday. It was 80 people and 2 instructors, and none of us really knew what was going on.” I asked him how this was possible, and he replied, “I shouldn’t be telling you this, but it’s all money. They are too cheap to do this right. They should have a real tech person in each precinct, but that costs too much, so they go out and hire a bunch of contractors the day before the election, and they think that they can train us, but it’s too compressed.” Around 4 pm, he came and told me that he wasn’t doing any good there, and that he was too frustrated, and that he was going home. We didn’t see him again.
Continue reading →
Luis Villa urges Red Hat to join the voting machine industry. He suggests that the open source model would be a good fit for voting machine development:
Security- As Ed Felten demonstrated spectacularly yesterday, the current generation of electronic voting machines are painfully insecure. Go watch the video. Open souce security auditing can do much better than that. (Diebold’s defense, by the way, is that Felten should have asked them for more information. That would not be a problem in an open source context.)
Cost- Governments are fairly price sensitive, especially in low-profile areas like voting. Open source is traditionally very cost competitive, and in this particular case, the closed-source systems have to license components like WinCE, so they are definitely at a disadvantage.
Pre-existing community- Corporate-sponsored open source work does best when it works in hand with existing bodies of volunteers and expertise. Such groups already exist in open source voting; open voting consortium is the first hit on google but I believe there are others as well.
Political motivation: one of the most tried and true ways to motivate open source contributors is to give them a bad guy. Voting fraud is replete with bad guys on all sides; if a project got enough backing (i.e., RH) to make it look like it might get actually used in an actual election, people would come out of the woodwork to audit and patch it.
And he points out that Red Hat is one of the few open source companies with a track record of building complex, mission-critical hardware-software systems.
I find this argument pretty compelling. I still think the best solution would be not to use computerized voting machines at all, but if we must have them, it’s hard to beat open source for security, transparency, and affordability.
The Technology Liberation Front is the tech policy blog dedicated to keeping politicians' hands off the 'net and everything else related to technology.