?

Log in

No account? Create an account

November 6th, 2004

SOUR GRAPES?

I'm not gonna dwell on elections past for very long, but I am puzzled by the reports of ballots being shoved into car trunks wholesale, and the complete disconnect between exit polls coming in all day from a variety of sources, that had the Republican War Room *very* wooried, by all accounts.

Last Summer Sheila and I (at her request)embarked on a project to examine possible voting problems, particularly with electronic voting. Sheila is a graduate of Georgia State University, with a B.Sc. in Psych, and is currently an MBA candidate in the final year of her Masters' Program. This paper, in a different format, formed the basis for a research project in grad school. I post it here in raw form, but some of you might find it useful or suggestive, and not in the way I usually mean that:


ELECTRONIC VOTING
FAULTY TECHNOLOGY, FAULTY LOGIC

By S.G.
Research and Editing by TAG

“The ability to install patches or new software that wasn’t certified has many risks, including the introduction of new bugs and more opportunities for tampering. It is even more risky if different patches can be installed at the last minute in particular jurisdictions…This opens the possibility of customized tampering by people who know exactly which races they want to affect, or bugs that are even less likely to be caught because they only occur in a small number of locations…Of course, even if the certified code is frozen, it is easy to think of ways that undetectable back-doors could be installed in the software so that someone at the election site could choose the winner of the election.”
David Dill, Professor of Computer Science, Stanford University

“Those who cast the votes decide nothing. Those who count the votes decide everything.”
Joseph Stalin, Soviet politician

Electoral fraud has been a problem for democracy as long as voting has existed. Until relatively recently, the “technology” of voting was simplicity itself. After a poll worker ascertained the registration of voters in a given district upon presenting themselves, the voter was handed a paper ballot and pencil, directed to a private booth or workstation where they would privately check off candidates and initiatives of their choice. They would then deposit the paper ballot in a secure box supervised by a poll watcher and exit the polling station. Should an election be disputed for any reason, the ballots could be recounted, and the correlation between number of certified registrants issued ballots and number of votes cast could be reviewed for any irregularities. This simple system is still used in many parts of the world, and, for that matter, in some electoral districts in the United States.

It is beyond the scope of this paper to detail how this simple system could be circumvented, but it will suffice to say that any system developed to date can be circumvented in one way or another. A classical example in Georgia politics involved the tardiness to remove deceased persons from registration rolls, particularly in rural counties, and the reported abuse of this tardiness by surrogates claiming to be the deceased voter (identification often consisted—indeed, in some venues, still exists—of asking the would-be voter’s name), obtaining a ballot and voting in that person’s name. Such corrupt practices would, at a minimum, involve persons or organizations that had access to voting registration rolls and death certificates, implying criminal conspiracy with a political agenda, but the decline of paper ballot-based voting had nothing to do with corruption.

Rather, with the advent of the communications revolution and the desire by the public and electronic media to have rapid feedback on election results, the inherently slow process of counting paper ballots became reason enough to look for more rapid methods of vote counting. That the advent of electronic communications media and the advent of computer technology roughly coincide in the post World War Two world is more than coincidence; to a large extent, they are part of the same information technology revolution. Thus we see, especially from the 1960s forward, an increased reliance upon computer-linked voting systems. While the earliest systems were punch card based and machine counted in keeping with the computer technology of the time, the primary complaint of the time once again was centered on the rapid flow of feedback. The counting machines were known to jam, and election results could be delayed while the system was reset. This could also lead to spoiled ballots, but the major point to grasp here is that a paper trail continued to exist under all such systems. That is, at the minimum, in a disputed result a recount was possible where the number of verified registered voters in a given precinct who appeared applying for a ballot could be verified and compared to the number of votes actually cast by simple comparison. Further, while the secret ballot protection of democratic process was preserved, assuming consistency between registered voters who voted and the number of ballots cast, the ballots could be manually reviewed to see what they actually indicated; in other words, the actual vote could be carefully scrutinized.

It is commonly assumed that the U.S. Civil War settled forever the question of sovereignty of the several states versus the Federal Union envisioned in the U.S. Constitution, but this is clearly not the case, and, once again, it is beyond the scope of the present paper to more than touch on this issue. Suffice to say that the necessity of the 19th Amendment of August 26, 1920 granting women the right to vote, the Voting Rights Act of 1965, and other “patches” had to be enacted and enforced to assure that minority Americans could vote at all in the states. More directly relevant to our considerations here is that down to the present day, even in federal elections, the decisions on what type of voting technology is to be used in a local district is determined at the state or district level. Such decisions vary greatly. As noted above, some districts still use paper ballots little different from 19th Century voting technology, while others use methods as diverse as punch card machines of various types, optical scanners and, increasingly, electronic touch screen technology.

“E Voting” or electronic touch-screen methods are not new; experimental versions have been available for inspection for decades. A touch-screen system was displayed at the opening of Disney’s Epcot Center in 1982. The matter only came to a head following the 2000 Presidential election, and the intense national debate focused on the various forms of ballots, notably punch card and the variant “butterfly” ballots used in Florida in that year. The very closeness of the results exposed a problem that doubtless has existed in mass elections with millions of ballots cast on a single day in a single race virtually unnoticed for many years. The very electoral system of assessing the public will on a given person or issue is brought into question, as it has proven virtually impossible to get an entirely consistent count of actual votes cast. Indeed the results of that election are still in dispute and will probably forever remain so.

The conclusion to be reached here is that the existing technologies then in use were incapable of anything approaching 100% accuracy for a mass, time limited influx of tens of millions of votes cast, using a variety of voting technologies acquired for local voting districts and monitored in practice by persons of varying technical skills and personal motivations, from the technologically illiterate to the personally corrupt on one end of the spectrum, to the technically sophisticated and incorruptibly public spirited at the other end, but with no universal national standard in place.

Enter the purveyors of electronic voting systems. It should be remembered that acquisition by state and local voting districts is primarily and preeminently a political decision, not necessarily informed by technological sophistication on the part of decision-makers and purchasers, let alone local volunteer poll watchers and other officials. The merchandising of various e-voting touch-screen systems is therefore largely a matter of corporate salesmanship to the local elections officials, rather than a matter of the active, informed procurement of a safe, user-friendly and reliable voting system.

Early-on in the current cycle, companies including Populex, ES & S, and Global Election Systems were quick to enter the game of selling their version of a touch-screen system to various electoral venues, with mixed success. In 2002, the Diebold Safe Company bought out GES, and, under the name “Diebold Election Systems” rapidly became the industrial giant to beat in the emerging e-voting industry.

Considering the political significance of the proposed technology to be used for touch screen voting, the history of Diebold is more than a little interesting. Founded by an immigrant from the Germany of “Iron Chancellor” Otto von Bismarck in Cincinnati in 1859, the company’s first and hitherto best-known product was the bank safe. By 1870, they held some 67 different patents on safes. In the wake of the Great Chicago Fire of 1871, over 800 Diebold safes were discovered to have protected the documents and currency within, and the business grew in prosperity dramatically, drawing on imported German labor to a degree that it became known up until the First World War as “Little Germany” The company relocated to Canton, Ohio in 1872 to avoid the beginnings of unionized labor in Cincinnati. Continuing in their mission to protect the assets of the wealthy they branched out, in the 1880s and 1890s, into the business of “ making jails, jail corridor doors, hangman trap doors and padded cells for asylums,” a fact they seem particularly proud of that they emphasize this in their company literature to the present day.

When America entered World War One, the German association was unceremoniously deemphasized. They continued to market various protective devices with 82 such patented between the end of WW I and 1954. They acquired the O.B. McClintock Company and branched into the burglar alarm business, as well as early versions of drive-in banking. This led, logically, to an interest in the earliest ATM machines in the 1960s, and continued to perfect this technology. The ATM became, progressively, a safe and robot bank teller, an electronic surveillance device, and, in a technical sense, by recording the transactions of ordinary bank customers, a precursor of the touch screen voting system.

One thing that is conspicuous about ATMs to anyone who has used one should be mentioned here. The technology facilitates an active paper trail for the customer, the bank or other institution owning the machine, and, via electronic information transfer, all affiliated inter-bank systems.

Having entered the touch-screen competition with a vengeance, the State of Georgia was among the company’s first target markets for their system. Their entry into Georgia politics in an election that saw results that were entirely unexpected, including the defeat of popular Senator and Viet Nam War hero Max Cleland, and the popular State Governor Roy Barnes, the first Republican victory ever in a Georgia Gubernatorial race, was preceded by a process described insightfully by Bev Harris, the author of the scathing critique of current electronic voting, “Black Box Voting: Ballot Tampering in the 21st Century”.

As Ms. Harris describes the process:
“Recently, technicians and programmers for Diebold Election Systems, the company that supplied every single voting machine for the surprising 2002 results in the state of Georgia, the company that is preparing to convert the state of Maryland to its no-paper-trail computerized voting, admitted to a file-sharing system that amounts to a colossal security flaw…
“The files on the Diebold FTP server are sensitive. If you want to tamper with election results, you either want to change the program or change the data file. That is why the program files, which control how the votes are tabulated, and the data files, which contain the actual vote count, should not be available for swapping back and forth like recipes on a cookbook site. “
However, there is more. Diebold, which sold Georgia on their no-paper-trail system with a rather simplistic power-point presentation, according to Ms. Harris, “…has been parking files on an unprotected public Internet location. Thousands of files were available: election files, hardware and software specifications, program files, voting program patches… people found the FTP site using a simple Google search. A Global Election Systems web site contained a list of links like ‘History,’ ‘Press Releases,’ ‘Staff’ and—amazingly—‘FTP.’
“The FTP button gave total access to anonymous users, allowing anyone to download and apparently, upload to the server. The FTP site contained no copyright statement, asked for no user name, put locks on no directories. Visitors from anywhere in the world could simply walk in the front door...”
Ms. Harris asked Guy Lancaster, who formerly supervised the site, if there would be any telltale indication if someone had visited the site anonymously, and replaced files. He indicated they could, as far as he knew, at least through the 2002 Georgia Elections.
“In fact,” Ms. Harris continued her startling analysis, “Diebold Election Systems’ FTP site was unprotected as recently as January 29, 2003. And, according to an e-mail that I obtained dated October 3, 2000 written by Lancaster he expressed concern about lack of security in this file-sharing method more than two years ago. Even computer guys, apparently, don’t always connect the wires: Lancaster talked with colleagues about his company’s security issues using an open listserve forum that anyone can read.”
“In this e-mail, Lancaster admits that his company was allowing people to access a service over ‘an untrusted network,’ the Internet. He pointed out that the information could easily get redirected by a third party to another server. Apparently in both Election 2000 and Election 2002, Diebold / Global Election Systems had not devised any way to make the file-sharing system secure. “
Ms. Harris was concerned about the ease with which an unauthorized person could actually, in this environment, “download a file, alter it, and upload it. She telephoned James Rellinger, who built the system as a subcontractor to Diebold for the Georgia system. He described it as like a “workbench” or “garage”.
Ms. Harris’ alarming conclusion on the system used in Georgia was this: “The AccuVote files, freely shared and sometimes snagged from the FTP and e-mailed to election workers and technicians, included hardware and software specifications, election results files, the vote-counting program itself, and “replacement files” for Diebold’s GEMS vote-counting system and for the Windows software underlying the system. In fact, anyone with a modem could have hunkered over a computer to download, upload or slightly change and overwrite the files on Diebold’s FTP site. “
Professor David Dill put it this way, as quoted at the beginning of this paper: “The ability to install patches or new software that wasn’t certified has many risks, including the introduction of new bugs and more opportunities for tampering. It is even more risky if different patches can be installed at the last minute in particular jurisdictions.
“This opens the possibility of customized tampering by people who know exactly which races they want to affect, or bugs that are even less likely to be caught because they only occur in a small number of locations. Of course, even if the certified code is frozen, it is easy to think of ways that undetectable back-doors could be installed in the software so that someone at the election site could choose the winner of the election.”

The technical security problems involved should be familiar to most security-conscious users of the Windows 95 or Windows 98 platform. The Diebold FTP site strongly indicates that some of the software of their AccuVote system runs on precisely this platform. As Microsoft systems engineer David Allen told Ms. Harris, “No one who is seriously concerned about security would run an application on that platform. This is not even a platform recommended by Microsoft in this context, where security is a major factor.

Then Ms. Harris hit upon the sort of obscure details much-beloved of conspiracy theorists, many of whom are tech-literate. As she put her discovery, “Our attention was drawn to a curiously named file named rob-georgia. Our first thought was that a Georgia technician must be named Rob. I asked various Diebold employees if anyone named Rob works at the company…A Diebold employee named Kerry Martin told me that there was no technician in Georgia named Rob.”
“Another source pointed out that one of the names on the Diebold FTP files, Kerry Martin, happens to be the same name as the poll worker who did press interviews after the flubbed Florida primary election in September 2002, when ES&S machines (Diebold’s main competitor) did not operate properly. Some of the folders named ‘Kerry Martin’ have files in them that say things like ‘Replace GEMS files with these.’
“Well, GEMS is the main program. It stands for Global Election Management Systems, and it contains the vote-counting program itself.”

Considering the uncanny outcome of the Georgia 2002 election, at minimum we must conclude that it was possible with the technology used to change the election results, and impossible to detect any such hypothetical changes.

The reservations about the possibility of undetectable intrusion into touch-screen systems, especially lacking a paper trail, quickly began to draw critical attention from both the computer science and political communities.

Professor Ari Rubin and associates at Johns Hopkins University Information Security Institute in Baltimore demonstrated how easy it was for experts to insert an undetected virus in the Diebold system.

They summarize their initial findings thusly: “…Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software.”

This would be alarming enough, but there is more: “Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker, modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them.”

Most damning of all are the conclusions of Rubin et al: “We conclude that this voting system is unsuitable for use in a general election. Any paperless electronic voting system might suffer similar flaws, despite any ‘certification’ it could have otherwise received. We suggest that the best solutions are voting systems having a ‘voter-verifiable audit trail…’ “

The conclusions by Dill at Stanford, Rubin at Johns Hopkins, similar research at Rice University, the research by Ms. Harris, the 2002 ‘experiment” in Georgia and similar alarm bells created concern all over the country. In addition to the purely scientific reservations, matters were not helped when it was disclosed that Walden O’Dell, Diebold’s current CEO, announced that he is “committed to helping Ohio deliver its electoral votes to the president next year,” according to a 2003 article by Julie Carr Smith in the reputable Cleveland Plain Dealer, which described O’Dell is a top fund-raiser for the Bush reelection campaign. The revealing fund-raising letter by O’Dell, dated August 14th 2003, was reported in numerous mainstream media. Leaked internal Diebold e-mail late last year suggested that corporate officials knew their system was flawed. One software engineer related the extremely suspicious case in Texas in the 2002 election cycle, where 3 different candidates for office won their respective races with exactly 18,181 votes, suggesting either rather unimaginative vote tampering or a software bug. In either case, it indicates the new machines gave inaccurate but untraceable electoral results.

The same software engineer summarizes Diebold’s credibility thusly: “Diebold Election Systems… have faced embarrassment after embarrassment. First, hackers easily broke into their rather insecure FTP server to access their proprietary code, then researchers reported on numerous security flaws, and then more hackers found internal memos revealing that Diebold was aware of the security flaws and also faked demonstrations to election officials. This does not exactly inspire confidence that Diebold’s software is any more secure than Microsoft’s. To top it off, they are now accused of installing uncertified software patches for Georgia’s 2002 gubernatorial election. Another case where a paper trail would have been invaluable.”


The subsequent outrage was well-expressed in an editorial response from Democracy Now on June 4, 2003:

“Not only does Mr. O’Dell want the contract to provide every voting machine in the nation for the next election – he wants to ‘DELIVER’ the election to Mr. Bush. In fact, Mr. O’Dell’s fundraising appeal on behalf of President Bush came one day before Ohio Secretary of State Ken Blackwell, also a Republican, was set to qualify Diebold as one of three companies eligible to sell upgraded electronic voting machines to Ohio counties in time for the 2004 election. INCREDIBLE!! On the day before the Ohio Secretary of State was set to qualify Diebold to provide voting machines for the state of Ohio, its CEO said in a letter he will ‘DELIVER’ Ohio for President Bush.
“There are enough conflicts in this story to fill an ethics manual – but suffice it to say – when it comes to an issue as sensitive as how and who tabulates the votes of the American people – this episode is truly outrageous. Either Diebold should cease seeking the contracts for voting machines or Mr. Bush, the RNC and its affiliated committees should return the campaign cash they have received from Mr. O’Dell and his fundraising appeals and from Diebold.”
The reaction from a single New Jersey voting district is indicative of misgivings an outrage being experienced all across the nation. A local writer in Trenton, Mercer County New Jersey, recently described the dilemma citizens in this district were faced with using the touch-screen no paper trail system:

“When Mercer County residents go to the polls in November to select the next president of the United States, they'll have little choice but to press the electronic screens on the county's new voting machines and then just hope the device does its job.

“The machines will not be able to produce paper ballots to allow voters to verify their selections, an incensed Mercer County Executive Brian M. Hughes said yesterday.

“Officials at Sequoia Voting Systems conceded yesterday they will not be able to retrofit the new machines with printers in time for the general election.

“Hughes said the company promised to have the printers designed, built, tested and approved by the federal government in time for the election. ‘I put $500,000 in the capital budget for this upgrade based on Sequoia's recommendation,’ Hughes fumed. ‘They said they can deliver. Now they say they can't.’

“Hughes said the machines have been used by other New Jersey counties. He does not believe they are inherently flawed, but said he has become convinced that a voter-verified paper trail is essential to promote absolute voter confidence in election results.

“The county spent $3.9 million on the machines last year to replace its aging fleet of mechanical voting machines.

“Sequoia spokesman Alfie Charles said his company is in the midst of getting paper ballot printers approved by the government for Sequoia's touch-screen machines that are different from the machines the county purchased.

“ ‘We know there's an interest in Mercer County for paper audit trails, but November is not going to be a realistic timetable given the federal and state regulations and testing requirements,’ Charles said.

“Once the printer is approved for the company's touch-screen machines, it will have to be adapted with different hardware and software, and then tested and approved, for the bigger machines Mercer County purchased, Charles said.

‘But we are committed to doing that as soon as possible,’ he said.

“Hughes embraced the paper ballot backup system after Rep. Rush Holt, D-Hopewell Township, introduced federal legislation requiring such features on all electronic voting machines. Some critics have argued that electronic machines could fail or be manipulated without paper records to verify each voter's ballot.

“Charles said the printer that will be built for Mercer's machines will print a paper ballot that will appear behind a glass screen for voters to inspect. If the paper ballot corresponds to their choices on the electronic ballot, they'll press a button to finalize their vote. The paper ballot automatically will be dropped into a locked ballot box.

“If the voter detects a discrepancy between their electronic and paper ballots, they can check their electronic selections and make any desired changes, and examine a new paper ballot printout prior to finalizing their vote, Charles said.”

The Federal Legislation mentioned is currently bottled up in Congress, and unlikely either to pass, or pass in time to effect the technology used in the 2004 elections.

The Legislation in question is “The Voter Confidence and Increased Accessibility Act of 2003.

In the House of Representatives it is HR 2239 introduced by Congressman Rush Holt (D-NJ), while

in the Senate, it is S.1980 introduced by Senator Bob Graham (D-FL). It includes the following key provisions:

SEC. 4. PROMOTING ACCURACY, INTEGRITY, AND SECURITY THROUGH VOTER-VERIFIED
PERMANENT RECORD OR HARD COPY.
(a) IN GENERAL- Section 301(a)(2) of the Help America Vote Act of 2002 (42
U.S.C. 15481(a)(2)) is amended to read as follows:
`(2) VOTER-VERIFICATION AND AUDIT CAPACITY-
`(A) VOTER-VERIFICATION IN GENERAL- The voting system shall produce a
voter-verified paper record suitable for a manual audit equivalent or
superior to that of a paper ballot box system, as further specified in
subparagraph (B).
`(B) MANUAL AUDIT CAPACITY-
`(i) The voting system shall produce a permanent paper record, each
individual paper record of which shall be made available for inspection
and verification by the voter at the time the vote is cast, and
preserved within the polling place in the manner in which all other
paper ballots are preserved within the polling place on Election Day for
later use in any manual audit.
`(ii) The voting system shall provide the voter with an opportunity to
correct any error made by the system before the permanent record is
preserved for use in any manual audit.
`(iii) The voter verified paper record produced under subparagraph (A)
and this subparagraph shall be available as an official record and shall
be the official record used for any recount conducted with respect to
any election in which the system is used.
`(C) SOFTWARE AND MODEMS-
`(i) No voting system shall at any time contain or use undisclosed
software. Any voting system containing or using software shall disclose
the source code of that software to the Commission, and the Commission
shall make that source code available for inspection upon request to any
citizen.
`(ii) No voting system shall contain any wireless communication device
at all.
`(iii) All software and hardware used in any electronic voting system
shall be certified by laboratories accredited by the
Commission as meeting the requirements of clauses (i) and (ii).'.

This would seem to satisfy at least some of the criticisms leveled by the scientific community and civic watchdogs at the presently in place touch-screen systems, but the resolution has found virtually no Republican support to date, and is therefore unlikely to be enacted into law for the foreseeable future.



It should be emphasized that, from a technical standpoint, it is entirely possible to design a user-friendly touch-screen system that does, at least, leave a paper trail. Electronic Systems & Software (ES & S) proposed such a system for California, described succinctly by Jonah D. King:

“The voter steps to the voting machine with a poll worker who has the Personalized Electronic Ballot, an electronic activation device—it looks like an 8-track tape cartridge—that unlocks the machine. Once the poll worker inserts and removes the PEB, the voter can vote in privacy.
“The voter would first select a language in which to vote. The machine would then proceed to each election race, allowing the voter to cast a vote for only one candidate per race and “yes” or “no” on initiatives.
“Once the voter has gone through the ballot, the machine would bring up a screen that would summarize the voter’s choices and allow the voter go back and make changes.
“Printed under a sheet of magnified Plexiglas, the 3-1/2 inch-wide ballot (with variable length, according to the number of ballot measures) would be inaccessible to the voter and polling place workers. Printing on the ballot would appear to be the same as 14-point font on a computer.
“The ballot would stay behind the Plexiglas while the voter confirmed that the machine had registered all the votes correctly. Once satisfied that the votes had been recorded correctly, the voter would push the large red ‘Vote’ button at the top of the apparatus.
“The ballot is then air-driven into the locked ballot box, meaning there are no moving parts touching the ballot while it is behind the Plexiglas.
“Should there be a recount, Mr. Slocum said ballots could either be manually counted or counted by machine using a barcode printed on each ballot.”

This at least allows for a hardcopy recount in a suspicious or disputed election. However, it does not address the thorny issues raised by Ms. Harris and others. Like the internet itself, it is debatable whether the system has been invented –indeed can be invented—that cannot be hacked an altered, both on site at the voting station and online between the machine and centralized vote recording centers.

There are further compromised and suspicious data, which may shed insight into why Diebold seems to be favored despite the flaws, and why paperless systems might be favored by Diebold.

Select Hardcopy References Consulted
Democracy Now September 4 2003
Harris, B. (2003). Black Box Voting: Ballot-Tampering in the 21st Century : online copy.
O'Brien, Patrick, Editor, Encyclopedia of World History - -Facts On File
Verton, D. (May 2004) Computerworld "50M Electronic Votes Could Be Insecure, Say Researchers"

Key Websites Consulted
http://avirubin.com/vote/analysis/index.html

http://avirubin.com/vote/analysis/index.html
http://www.blackboxvoting.com/
http://news.yahoo.com/news?tmpl=story&u=/nm/20040707/us_nm/campaign_florida_dc_3
http://www.dougsimpson.com/blog/archives/000291.html
http://www.diebold.com/dieboldes/
http://verify.stanford.edu/evote.html/
http://fling93.com/about.html

What I want to see is how the exit poll differences relate to polling places with paperless trail systems.

Gotta go--think my youngest has a cold.

Latest Month

November 2019
S M T W T F S
     12
3456789
10111213141516
17181920212223
24252627282930

Tags

Powered by LiveJournal.com
Designed by Tiffany Chow