Earlier this month, US Congressman Rush Holt (D, NJ) introduced H.R. 811, a bill to amend the Help America Vote Act of 2002 to require a voter-verified paper ballot. I have read the bill, as well as some of the criticism by various activists.
In my opinion, passage of the Holt bill would be the single most positive development in this country this decade to ensure the security, integrity and verifiability of elections. As a federal law, this legislation would establish a baseline for all states that would exceed the security and audit of elections in most states today.
The bill is well thought out. It addresses the issues of audit, security, privacy, recounts, conflicts of interest, testing, certification, and cost. I was personally privy to discussions on these issues as the text for the bill was being drafted, and I believe that the reason that this bill handles all of these difficult issues so well is that the Holt staffers took their time, acted deliberately, and consulted with the top experts, until they got it right.
The primary criticism from a subset of the activists is that the bill does not go far enough. For example, it does not ban DREs, as long as they are equipped with a voter verified paper record that is not kept in sequential order. Personally, I would support a ban on all DREs, with paper trails or without. However, the lack of such a ban does not detract from the fact that the Holt bill as it reads would do more to improve election integrity, security and audit than anything that anybody else is doing.
Similarly, when I read the NIST report about software independence (SI), and the resulting recommendation that legacy systems be allowed, and that only future systems will require SI, I would have preferred that all non-SI systems be immediately decertified. But, the net result of that report was positive and will ultimately lead to better elections in this country.
As we move forward, it is important to constantly improve our elections. I believe that the Holt bill has the potential to take the biggest step this country can take towards the ultimate goal of minimizing fraud and error, while increasing access, confidence, and thus, hopefully, participation in public elections in the United States.
Saturday, February 17, 2007
Tuesday, February 13, 2007
ACCURATE 2006 annual report available online
I am the director of the NSF ACCURATE center. People often ask me what the center does. I'm asked when our new voting system will be ready, or if we can hack some other voting system. Well, we are not building a voting system, and hacking voting systems is also not in our charter. However, we have prepared an annual report detailing our activities in 2006. The report is available online.
Sunday, January 28, 2007
Bad Software All Around
Earlier this week, I took a train up to NYC to give a talk to some potential ISE customers on Wall St. A collection of Chief Information Security Officers and other executives from financial firms. I was asked to speak about software security, and two things happened on this trip that put to rest any doubt that the current state of software security and network security is dismal. I didn't doubt it, but I thought it was particularly humorous that these happened on a trip whose purpose was to give this particular talk.
I arrived at my hotel about an hour before I was scheduled to speak. Since the hotel was only a couple of blocks from Wall St., I figured that I had time to go online and read my email. I opened up my laptop in my room and saw that there was a WiFi base station whose SSID was "Exchange" (which was the name of my hotel) along with several other available base stations. So, I connected to my hotel's access point. I had full bars, so the connection was strong, but I was unable to reach my email server. I had a look at the IP address assigned to me by the network and noticed that it was a factory default address that was probably not what the hotel was using. So, I called the front desk, and I told the woman who had just checked me in that I was having a problem with the wireless network. It seemed that I was not getting a valid IP address. She said something about their street address, and I realized that while this nice lady was very good at checking me into my room, she was not going to be the best tech support person I had ever had.
I explained to the woman that I was able to connect to the wireless network, but that I was unable to read my email because the network was not working. She understood that and said, "Yes, this happens all the time. I will just reboot the thingy. Give it a few minutes and try again." That sounded like a reasonable solution. Meanwhile, I tried the other wireless networks, and none of them would allow a connection without a password. I chalked this up to progress.
Several minutes later, I reconnected to the Exchange network, and I was assigned what looked like a normal NATed IP address. But, I was still unable to connect anywhere. So, I opened up a browser window to see if I needed to log in. What I saw surprised me at first. It looked like some kind of menu console for managing an appliance. I clicked around and realized that I had the ability to configure routing and firewall rules. In fact, I was logged into the hotel's router - the "thingy" if you will. I smiled to myself at the thought of what I could do if I wanted to, but I quit out of that and was able to access the Internet. The connection was pretty slow, and I chuckled at the thought of getting back into the administration console to filter out the other users in the hotel. Of course, I decided against that.
Unbelievable!
But, it gets better.
When I arrived back at Baltimore Penn Station, I left the train and walked to my car. I drove up 2 levels in the parking garage, and I arrived at the exit gate. This parking garage installed an automated system where you use a credit card to get in when you arrive, and if you use the same credit card when you leave, you don't need to take a ticket, and it charges that card and lets you out. At least that's the theory. It didn't work that way on this trip. As I approached the exit, I saw that there were two lanes open for exiting, and that the car in front of me had pulled into one of them. So, went to the other one and inserted my credit card. On my mind was my daughter's school play, which started in about an hour. I had time to grab a quick sandwich and then head to her school. I had planned my trip so that I could be back in time to see her perform.
After about a minute, it seemed odd to me that my credit card had not come out yet. The machine said that it was validating ticket data. But, I had not inserted a ticket. So, I pressed the intercom button, and an attendant asked if she could help me. I told her that I put my credit card in a while ago, and that I wanted to pay and leave. The gentleman in the truck in the other lane yelled to me that he was in the same boat, so I told the woman that neither one of us could leave. She asked us to hold on a second, and in about another minute a woman in a parking attendant uniform appeared. She told me that it might be that the other gentleman and myself inserted our credit cards at the exact same time in the two different machines. I agreed that this was indeed possible. In the meantime, I rather long line of cars had formed behind us.
The parking attendant backed up all of the cars and suggested that I back up about one car length, and that the other gentleman do the same. Then, she suggested that I drive back up to the machine, which I did. My credit card came out, but she said I had to reinsert it. I did, and it said that it was validating ticket data. The attendant said, "oh no." That didn't sound good. I asked what the problem was. She said that every once in a while, when two people insert their credit cards at the exact same time, it crashes their whole system. We did the back up thing again to retrieve our cards. Since the other guy was first, she went and processed his payment manually. That took about 3 minutes. Then, she took my credit card and went to do mine. In the meantime, another car behind me drove into the other lane, which was now available and inserted his card. The system did not respond. It was hosed. A few minutes later, she came back and gave me my credit card and receipt and opened the gate so that I could exit. The line of cars was now very long, and she said she would have to do them all by hand until a technician could come. I have no idea where this technician was coming from, but I was glad to be on my way. I got that sandwich, but because of my delay, I had to eat it in the car on the way to my daughter's play.
What kind of software design results in this kind of crash? The answer is pretty clear to anyone who has worked with software. While they may have tested the system exhaustively, they probably did not test the possibility of putting credit cards in two different machines at the exact same time. Which brings me back (as usual on this blog) to voting machines. They may be tested and tested and certified and verified and validated. But, if on Election Day something unusual happens, a scenario that was not anticipated, something might go very wrong. And, if there is no tangible, physical record of the votes that were cast on the machine, then votes might be lost in an unrecoverable way.
Given what I've seen about voting system standards and voting system testing labs, I would bet money that the parking garage system at Baltimore Penn Station was tested more extensively before it was deployed than the Diebold voting machines that we use in Maryland.
I arrived at my hotel about an hour before I was scheduled to speak. Since the hotel was only a couple of blocks from Wall St., I figured that I had time to go online and read my email. I opened up my laptop in my room and saw that there was a WiFi base station whose SSID was "Exchange" (which was the name of my hotel) along with several other available base stations. So, I connected to my hotel's access point. I had full bars, so the connection was strong, but I was unable to reach my email server. I had a look at the IP address assigned to me by the network and noticed that it was a factory default address that was probably not what the hotel was using. So, I called the front desk, and I told the woman who had just checked me in that I was having a problem with the wireless network. It seemed that I was not getting a valid IP address. She said something about their street address, and I realized that while this nice lady was very good at checking me into my room, she was not going to be the best tech support person I had ever had.
I explained to the woman that I was able to connect to the wireless network, but that I was unable to read my email because the network was not working. She understood that and said, "Yes, this happens all the time. I will just reboot the thingy. Give it a few minutes and try again." That sounded like a reasonable solution. Meanwhile, I tried the other wireless networks, and none of them would allow a connection without a password. I chalked this up to progress.
Several minutes later, I reconnected to the Exchange network, and I was assigned what looked like a normal NATed IP address. But, I was still unable to connect anywhere. So, I opened up a browser window to see if I needed to log in. What I saw surprised me at first. It looked like some kind of menu console for managing an appliance. I clicked around and realized that I had the ability to configure routing and firewall rules. In fact, I was logged into the hotel's router - the "thingy" if you will. I smiled to myself at the thought of what I could do if I wanted to, but I quit out of that and was able to access the Internet. The connection was pretty slow, and I chuckled at the thought of getting back into the administration console to filter out the other users in the hotel. Of course, I decided against that.
Unbelievable!
But, it gets better.
When I arrived back at Baltimore Penn Station, I left the train and walked to my car. I drove up 2 levels in the parking garage, and I arrived at the exit gate. This parking garage installed an automated system where you use a credit card to get in when you arrive, and if you use the same credit card when you leave, you don't need to take a ticket, and it charges that card and lets you out. At least that's the theory. It didn't work that way on this trip. As I approached the exit, I saw that there were two lanes open for exiting, and that the car in front of me had pulled into one of them. So, went to the other one and inserted my credit card. On my mind was my daughter's school play, which started in about an hour. I had time to grab a quick sandwich and then head to her school. I had planned my trip so that I could be back in time to see her perform.
After about a minute, it seemed odd to me that my credit card had not come out yet. The machine said that it was validating ticket data. But, I had not inserted a ticket. So, I pressed the intercom button, and an attendant asked if she could help me. I told her that I put my credit card in a while ago, and that I wanted to pay and leave. The gentleman in the truck in the other lane yelled to me that he was in the same boat, so I told the woman that neither one of us could leave. She asked us to hold on a second, and in about another minute a woman in a parking attendant uniform appeared. She told me that it might be that the other gentleman and myself inserted our credit cards at the exact same time in the two different machines. I agreed that this was indeed possible. In the meantime, I rather long line of cars had formed behind us.
The parking attendant backed up all of the cars and suggested that I back up about one car length, and that the other gentleman do the same. Then, she suggested that I drive back up to the machine, which I did. My credit card came out, but she said I had to reinsert it. I did, and it said that it was validating ticket data. The attendant said, "oh no." That didn't sound good. I asked what the problem was. She said that every once in a while, when two people insert their credit cards at the exact same time, it crashes their whole system. We did the back up thing again to retrieve our cards. Since the other guy was first, she went and processed his payment manually. That took about 3 minutes. Then, she took my credit card and went to do mine. In the meantime, another car behind me drove into the other lane, which was now available and inserted his card. The system did not respond. It was hosed. A few minutes later, she came back and gave me my credit card and receipt and opened the gate so that I could exit. The line of cars was now very long, and she said she would have to do them all by hand until a technician could come. I have no idea where this technician was coming from, but I was glad to be on my way. I got that sandwich, but because of my delay, I had to eat it in the car on the way to my daughter's play.
What kind of software design results in this kind of crash? The answer is pretty clear to anyone who has worked with software. While they may have tested the system exhaustively, they probably did not test the possibility of putting credit cards in two different machines at the exact same time. Which brings me back (as usual on this blog) to voting machines. They may be tested and tested and certified and verified and validated. But, if on Election Day something unusual happens, a scenario that was not anticipated, something might go very wrong. And, if there is no tangible, physical record of the votes that were cast on the machine, then votes might be lost in an unrecoverable way.
Given what I've seen about voting system standards and voting system testing labs, I would bet money that the parking garage system at Baltimore Penn Station was tested more extensively before it was deployed than the Diebold voting machines that we use in Maryland.
Friday, November 24, 2006
Krugman way off base on Alec Yasinsac
This morning, Paul Krugman has an Op-Ed in the New York Times titled When Votes Disappear. Normally I would be very pleased to read such an op-ed, and I was today as well, until I got two thirds of the way down and saw this:
I almost fell out of my chair when I read that. Now, I was one of the first people to criticize the use partisan officials to administer elections, such as Ken Blackwell who while he was the secretary of state of Ohio was also co-chair of President Bush's reelection campaign in that state. But, what a different perspective it gives when you know the full story, as I do with Alec Yasinsac.
The Security and Assurance in Information Technology Laboratory (SAIT) at Florida State is the best security research group in the state of Florida if not the Southeast. I'm quite familiar with their research. The professors there include Breno de Medeiros, a recent Ph.D. alumnus of our program at Johns Hopkins, Mike Bermester, a famous Cryptographer, and of course Alec Yasinsac. I have known Alec for about 12 years. He is an extremely talented researcher and well respected security expert. The state of Florida contacted SAIT because they are the top computer security research group in the state. As soon as they were contacted, Alec Yasinsac called me with several other members of their lab on the phone because he was concerned that his Republican affiliation was being blown out of proportion by the local press. I understood his concern, but also noted that he is part of a whole group there, and that I believed they should perform this security audit. I also know that this group has recruited outside help from notables such as David Jefferson and Princeton Professor Ed Felten, who I believe are both involved in the audit, and are completely nonpartisan in their work.
I know very well that the SAIT group, including Alec, are only interested in finding out the truth and discovering what happened with the voting machines, if it is at all possible to do so. Hearing a high profile columnist such as Krugman refer to my friend Alec Yasinsac as a partisan hack really stings, and it causes me to now question every time I see someone painted with such a brush in the media. Furthermore, Krugman writes his pieces as though Alec would be performing the audit alone. What a difference it makes to actually know the people involved very well. Krugman would have done well to interview some computer scientists about Alec and SAIT before dismissing this audit out of hand. Sadly, I think this incident illustrates that this columnist is willing to embrace whatever circumstances and appearances serve his message with no regard for whether they are legitimate.
"Although state officials have certified Mr. Buchanan as the victor, they’ve promised an audit of the voting machines. But don’t get your hopes up: as in 2000, state election officials aren’t even trying to look impartial. To oversee the audit, the state has chosen as its “independent” expert Prof. Alec Yasinsac of Florida State University — a Republican partisan who made an appearance on the steps of the Florida Supreme Court during the 2000 recount battle wearing a 'Bush Won' sign."
I almost fell out of my chair when I read that. Now, I was one of the first people to criticize the use partisan officials to administer elections, such as Ken Blackwell who while he was the secretary of state of Ohio was also co-chair of President Bush's reelection campaign in that state. But, what a different perspective it gives when you know the full story, as I do with Alec Yasinsac.
The Security and Assurance in Information Technology Laboratory (SAIT) at Florida State is the best security research group in the state of Florida if not the Southeast. I'm quite familiar with their research. The professors there include Breno de Medeiros, a recent Ph.D. alumnus of our program at Johns Hopkins, Mike Bermester, a famous Cryptographer, and of course Alec Yasinsac. I have known Alec for about 12 years. He is an extremely talented researcher and well respected security expert. The state of Florida contacted SAIT because they are the top computer security research group in the state. As soon as they were contacted, Alec Yasinsac called me with several other members of their lab on the phone because he was concerned that his Republican affiliation was being blown out of proportion by the local press. I understood his concern, but also noted that he is part of a whole group there, and that I believed they should perform this security audit. I also know that this group has recruited outside help from notables such as David Jefferson and Princeton Professor Ed Felten, who I believe are both involved in the audit, and are completely nonpartisan in their work.
I know very well that the SAIT group, including Alec, are only interested in finding out the truth and discovering what happened with the voting machines, if it is at all possible to do so. Hearing a high profile columnist such as Krugman refer to my friend Alec Yasinsac as a partisan hack really stings, and it causes me to now question every time I see someone painted with such a brush in the media. Furthermore, Krugman writes his pieces as though Alec would be performing the audit alone. What a difference it makes to actually know the people involved very well. Krugman would have done well to interview some computer scientists about Alec and SAIT before dismissing this audit out of hand. Sadly, I think this incident illustrates that this columnist is willing to embrace whatever circumstances and appearances serve his message with no regard for whether they are legitimate.
Wednesday, November 08, 2006
A Worst Case Scenario for a midterm election?
In several recent elections, the eyes of the country fell on one particular jurisdiction that came under the microscope and affected the entire nation. In 2000, it was Florida and hanging chads. In 2004 it was Ohio and long lines, and in 2006 it is shaping up to be Virginia and a single race that will determine which party controls the senate. Every article I have read today states that the race is going to come down to a recount.
Uh oh.
Virginia uses a plethora of different voting technologies. Just about every major vendor is represented. Most of votes in that state were cast on paperless DREs. There are no ballots to recount. A meaningful recount in Virginia is not possible.
The DRE vendors like to pretend that they can perform recounts. They take the vote totals on the machines and print corresponding ballots, and then count them by hand. Let me give an analogy to demonstrate how silly that is. It would be comical if vendors weren't actually doing it and convincing people that they were performing a recount.
Imagine if you had a word document on your computer, and the document stated some fact. You were not sure if the fact was true. So, to verify the fact, you print the word document, and then you read it out loud and say, "Ah, if that's what it says, then it must be true because I'm looking at a printout." What the vendors are doing is printing out the questionable results and then counting them. Of course they are going to match what was on the machine, but they do not provide an independent count. The so-called recounts of DREs are really just print and count, not RE-count. It is a waste of time.
Now, we hear that in Sarasota County, there were 18,000 undervotes in the race for the 13th congressional seat. The race is expected to be decided by fewer than 400 votes. If paper ballots had been used, the huge number of undervotes could be investigated. Without them, there is no recourse - no way to figure out why this happened. I have several theories. Perhaps that many people just did not care about that race. Unlikely in my opinion. Most likely is that the human interface, that is, candidate placement on the ballot caused many people to miss that race. The next possibility is that a software glitch caused votes in that race not to be counted. Finally, it is possible that someone actually did something to cause this. The problem with paperless voting is that we'll never know, and there will never be any way to find out.
It is unbelievable that the control of the US senate is coming down to a close race that cannot be recounted, and for which there are no physical ballots. The vendors may come out with their "emperor's clothes" recounts, but the public should understand that these are not really recounts, they are just print and count.
Uh oh.
Virginia uses a plethora of different voting technologies. Just about every major vendor is represented. Most of votes in that state were cast on paperless DREs. There are no ballots to recount. A meaningful recount in Virginia is not possible.
The DRE vendors like to pretend that they can perform recounts. They take the vote totals on the machines and print corresponding ballots, and then count them by hand. Let me give an analogy to demonstrate how silly that is. It would be comical if vendors weren't actually doing it and convincing people that they were performing a recount.
Imagine if you had a word document on your computer, and the document stated some fact. You were not sure if the fact was true. So, to verify the fact, you print the word document, and then you read it out loud and say, "Ah, if that's what it says, then it must be true because I'm looking at a printout." What the vendors are doing is printing out the questionable results and then counting them. Of course they are going to match what was on the machine, but they do not provide an independent count. The so-called recounts of DREs are really just print and count, not RE-count. It is a waste of time.
Now, we hear that in Sarasota County, there were 18,000 undervotes in the race for the 13th congressional seat. The race is expected to be decided by fewer than 400 votes. If paper ballots had been used, the huge number of undervotes could be investigated. Without them, there is no recourse - no way to figure out why this happened. I have several theories. Perhaps that many people just did not care about that race. Unlikely in my opinion. Most likely is that the human interface, that is, candidate placement on the ballot caused many people to miss that race. The next possibility is that a software glitch caused votes in that race not to be counted. Finally, it is possible that someone actually did something to cause this. The problem with paperless voting is that we'll never know, and there will never be any way to find out.
It is unbelievable that the control of the US senate is coming down to a close race that cannot be recounted, and for which there are no physical ballots. The vendors may come out with their "emperor's clothes" recounts, but the public should understand that these are not really recounts, they are just print and count.
Tuesday, November 07, 2006
My Day at the Polls - Maryland General Election 2006
I woke up at 4:30 this morning, although the alarm was set for 5:15. I guess I had a lot of adrenalin pumping about the election. Would it be a total meltdown? Would the e-poll books work? Would the voting machines boot up playing cartoon videos on the screen, or would they appear to work fine? Last night, I went into the precinct after work to help set up the voting machines. We spent about an hour and a half figuring out the best way to configure them and the best way to process the voters, assuming we had long lines like we did in the primary. That saved us a lot of time, and I believe is the only reason we were able to open the polls on time this morning. But, I think that getting started the night before is what triggered the adrenalin rush that caused me to get so little sleep. I am pretty certain that the machines stayed in the synagogue great room unattended overnight.
For the most part things went fine in our precinct. Turnout was extremely high, and we had long lines at times, but I don't believe anybody left without voting due to that. We averted several problems that could have been serious due to the diligence and foresight of our excellent chief judges and the rest of the poll workers. For example, one of our chief judges discovered during the day that we were short two tamper tape seals, which would have caused us to be unable to properly seal two of the voting machines when we closed the polls. She discovered this because she was checking and double checking everything throughout the day. She placed a call to the board of elections, and they sent us the missing tamper seals. Here's another example: When voters check in, there is a voter authority card printed that has the voter's name and party affiliation on it, and which the voters sign. This paper is then put in an envelope on the machine that the voter uses. We we running out of paper, and when one of the printers could not print anymore, we shut down that poll book temporarily, and one of our judges rushed off to another precinct to get some paper for the e-poll book printer. Then, we were able to reopen that e-poll book. We laughed when we discovered 4 extra rolls of paper in one of our boxes at the end of the election. We had just missed them earlier.
The judge who went to the other precinct to get the paper reported that the other precinct had only two voting machines there, and that one of them had died after around 75 votes had been cast on it. That machine was taken out of service and sent to the nearby town of Towson, where presumably the internal flash of the machine would be used to recover those votes. Meanwhile, another voting machine was supposed to be delivered to replace it. I never found out if that happened.
In the early goings, about the most dramatic thing that happened in our precinct was that a woman thought she dropped her hearing aid into one of the machines and insisted that we take it apart to try to recover it. Luckily, it was found nearby on the floor. As to our technical support, once again, as in the primary, our technician was a representative from Diebold who had been hired the day before, and who was servicing three precincts. I saw her from time to time during the day, but as far as I could tell, she really did not have much to do. She was not allowed to touch the machines.
I was impressed with the performance of the e-poll books that failed so miserably in our primary. In our precinct, they worked flawlessly. I observed them very carefully. One test I did was when a couple split up and the husband checked in on my e-poll book, while his wife checked in on the one at another table. The instant that the wife was checked in, she appeared as having voted on my e-poll book. I repeated this test several times. We ran three e-poll books, and I watched them in many different situations throughout the day, and I did not find a single problem. In fact, as a poll worker, I can say that they were quite handy, especially when people came in who were in the wrong precinct, and we were able to tell them where to go because we had the whole state's database on each e-poll book. I still feel that I would prefer a paper card check in system because of fear of how stuck we would be if the power went out, or if the machines failed in an unexpected way. But, with a simple augmentation to our procedures, I would be happy to use these poll books. The modification I would make would be for the check in judges to also have a printed booklet of all the registered voters, sorted in alphabetical order. It would only have to have names, and say, birth dates (to make duplicates unlikely). The judges would have to place a check mark next to each voter's name as they voted. Thus, if the e-poll books worked fine, the burden would be rather small. If they failed in the middle of the election, we would have 3 booklets with sorted lists of who had voted, and we could continue checking in voters with the booklets, making sure nobody checked in more than once. It would be enough of a backup system to make me happy, and under those circumstances, I would support using the e-poll books. (The privacy issues about whether it is a good idea to have so many electronic copies of this database out there is another story. It's important, but I will not address it here because I'm exhausted, and I have a lot of other things to say about our election today.)
I was on a media black out while at the polls, and I just returned home a few minutes ago, so I have no idea what happened in the rest of the country, or in the rest of Maryland today. I can say that in my precinct we only had one serious event with the Diebold voting machines. It happened after we had already closed the polls, and the last few voters who were in line when we closed the doors at 8 pm were voting. This occurrence underscored my biggest concerns and fears about these machines. Before I describe this problem, let me talk about one aspect of my day at the polls. After the primary in September, I wrote a blog entry like this one about my day at the polls. Many of my fellow judges that day eventually read that blog entry, and between that day and today, I have been in the local media in Baltimore quite a bit, appearing on radio shows almost daily, and several times on many days, and appearing on local television a few times a week. By the time our election came around today, my position on e-voting was pretty well known to my fellow judges and to many of the voters who came into the precinct today. As a result, several of the other judges, and quite a few voters commented to me that they were going to read my blog entry tonight; it was a given that I would blog about it. Knowing that I was going to write this, and that many people were going to read it, made people pretty careful to include me in every discussion about issues that came up, and to make sure every single aspect of our election was by the book, which I don't think is the way the majority of precincts are run, based on emails I've received from many election judges in other precincts after the last several elections.
So, while we were watching the last handful of voters cast their ballots (oops, I should say "touch their candidates names on a screen" because we don't use ballots in Maryland, except for absentee and provisional), one of the chief judges came up to me and said that there was a "situation". I was called over where a voter was explaining to one of the judges what had happened, and he repeated his story to me. The voter had made his selections and pressed the "cast ballot" button on the machine. The machine spit out his smartcard, as it is supposed to do, but his summary screen remained, and it did not appear that his vote had been cast. So, he pushed the smartcard back in, and it came out saying that he had already voted. But, he was still in the screen that showed he was in the process of voting. The voter then pressed the "cast ballot" again, and an error message appeared on the screen that said that he needs to call a judge for assistance. The voter was very patient, but was clearly taking this very seriously, as one would expect. After discussing the details about what happened with him very carefully, I believed that there was a glitch with his machine, and that it was in an unexpected state after it spit out the smartcard. The question we had to figure out was whether or not his vote had been recorded. The machine said that there had been 145 votes cast. So, I suggested that we count the voter authority cards in the envelope attached to the machine. Since we were grouping them into bundles of 25 throughout the day, that was pretty easy, and we found that there were 146 authority cards. So, this meant that either his vote had not been counted, or that the count was off for some other reason. Considering that the count on that machine had been perfect all day, I thought that the most likely thing is that this glitch had caused his vote not to count. Unfortunately, because while this was going on, all the other voters had left, other election judges had taken down and put away the e-poll books, and we had no way to encode a smartcard for him. We were left with the possibility of having the voter vote on a provisional ballot, which is what he did. He was gracious, and understood our predicament.
The thing is, that I don't know for sure now if this voter's vote will be counted once or twice (or not at all if the board of election rejects his provisional ballot). In fact, the purpose of counting the voter authority cards is to check the counts on the machines hourly. What we had done was to use the number of cards to conclude something about whether a particular voter had voted, and that is not information that these cards can provide. Unfortunately, I believe there are an unimaginable number of problems that could crop up with these machines where we would not know for sure if a voter's vote had been recorded, and the machines provide no way to check on such questions. If we had paper ballots that were counted by optical scanners, this kind of situation could never occur.
Some conclusions now before I go off to bed. I believe that with proper care, diligent following of procedures, and no unexpected computer or power glitches, there is the possibility that an election in Maryland can run smoothly in a given precinct. We will never know if the results produced by the machines are an accurate tally of the votes that were cast. Did we get it right today in my precinct? It's very possible. The results were consistent with the expected outcome based on our demographics. The only surprise was that Republican Governor Ehrlich beat out Democratic Mayor O'Malley in the governor's race by about 14% of the vote. This was surprising because our precinct voted 2-1 or more for Democrats in all other races, and the precinct is known for having that ratio. Still, I think that the governor's race results are not unrealistic given conversations I've had with democrats who were going to vote for him. But here's the rub. We cannot audit our election. We cannot perform a recount. We cannot see how the votes were really counted. We had election observers in our precinct, and they had nothing to observe, except to write down the final tallies when the outcome was computed.
So, the election is finally over. In the morning, we'll probably have many results across the country and some places where the races are too close to call. In Maryland there are still over 180,000 absentee ballots that need to be counted. All around America, poll workers such as myself are going to sleep now, exhausted after working at least 16 hours as volunteers, putting in this day so that we can continue to enjoy the benefits of democracy. Now its time for partisans to put aside their differences and to figure out how to design better voting systems that can be independently audited, that are not too vulnerable to failures and human error, and that are completely transparent to voters in every way. In Maryland, the pendulum has swung far away from such systems, and I am hopeful and optimistic that we will switch to a precinct-count optical scan paper ballot system with random spot audits before the elections in 2008.
For the most part things went fine in our precinct. Turnout was extremely high, and we had long lines at times, but I don't believe anybody left without voting due to that. We averted several problems that could have been serious due to the diligence and foresight of our excellent chief judges and the rest of the poll workers. For example, one of our chief judges discovered during the day that we were short two tamper tape seals, which would have caused us to be unable to properly seal two of the voting machines when we closed the polls. She discovered this because she was checking and double checking everything throughout the day. She placed a call to the board of elections, and they sent us the missing tamper seals. Here's another example: When voters check in, there is a voter authority card printed that has the voter's name and party affiliation on it, and which the voters sign. This paper is then put in an envelope on the machine that the voter uses. We we running out of paper, and when one of the printers could not print anymore, we shut down that poll book temporarily, and one of our judges rushed off to another precinct to get some paper for the e-poll book printer. Then, we were able to reopen that e-poll book. We laughed when we discovered 4 extra rolls of paper in one of our boxes at the end of the election. We had just missed them earlier.
The judge who went to the other precinct to get the paper reported that the other precinct had only two voting machines there, and that one of them had died after around 75 votes had been cast on it. That machine was taken out of service and sent to the nearby town of Towson, where presumably the internal flash of the machine would be used to recover those votes. Meanwhile, another voting machine was supposed to be delivered to replace it. I never found out if that happened.
In the early goings, about the most dramatic thing that happened in our precinct was that a woman thought she dropped her hearing aid into one of the machines and insisted that we take it apart to try to recover it. Luckily, it was found nearby on the floor. As to our technical support, once again, as in the primary, our technician was a representative from Diebold who had been hired the day before, and who was servicing three precincts. I saw her from time to time during the day, but as far as I could tell, she really did not have much to do. She was not allowed to touch the machines.
I was impressed with the performance of the e-poll books that failed so miserably in our primary. In our precinct, they worked flawlessly. I observed them very carefully. One test I did was when a couple split up and the husband checked in on my e-poll book, while his wife checked in on the one at another table. The instant that the wife was checked in, she appeared as having voted on my e-poll book. I repeated this test several times. We ran three e-poll books, and I watched them in many different situations throughout the day, and I did not find a single problem. In fact, as a poll worker, I can say that they were quite handy, especially when people came in who were in the wrong precinct, and we were able to tell them where to go because we had the whole state's database on each e-poll book. I still feel that I would prefer a paper card check in system because of fear of how stuck we would be if the power went out, or if the machines failed in an unexpected way. But, with a simple augmentation to our procedures, I would be happy to use these poll books. The modification I would make would be for the check in judges to also have a printed booklet of all the registered voters, sorted in alphabetical order. It would only have to have names, and say, birth dates (to make duplicates unlikely). The judges would have to place a check mark next to each voter's name as they voted. Thus, if the e-poll books worked fine, the burden would be rather small. If they failed in the middle of the election, we would have 3 booklets with sorted lists of who had voted, and we could continue checking in voters with the booklets, making sure nobody checked in more than once. It would be enough of a backup system to make me happy, and under those circumstances, I would support using the e-poll books. (The privacy issues about whether it is a good idea to have so many electronic copies of this database out there is another story. It's important, but I will not address it here because I'm exhausted, and I have a lot of other things to say about our election today.)
I was on a media black out while at the polls, and I just returned home a few minutes ago, so I have no idea what happened in the rest of the country, or in the rest of Maryland today. I can say that in my precinct we only had one serious event with the Diebold voting machines. It happened after we had already closed the polls, and the last few voters who were in line when we closed the doors at 8 pm were voting. This occurrence underscored my biggest concerns and fears about these machines. Before I describe this problem, let me talk about one aspect of my day at the polls. After the primary in September, I wrote a blog entry like this one about my day at the polls. Many of my fellow judges that day eventually read that blog entry, and between that day and today, I have been in the local media in Baltimore quite a bit, appearing on radio shows almost daily, and several times on many days, and appearing on local television a few times a week. By the time our election came around today, my position on e-voting was pretty well known to my fellow judges and to many of the voters who came into the precinct today. As a result, several of the other judges, and quite a few voters commented to me that they were going to read my blog entry tonight; it was a given that I would blog about it. Knowing that I was going to write this, and that many people were going to read it, made people pretty careful to include me in every discussion about issues that came up, and to make sure every single aspect of our election was by the book, which I don't think is the way the majority of precincts are run, based on emails I've received from many election judges in other precincts after the last several elections.
So, while we were watching the last handful of voters cast their ballots (oops, I should say "touch their candidates names on a screen" because we don't use ballots in Maryland, except for absentee and provisional), one of the chief judges came up to me and said that there was a "situation". I was called over where a voter was explaining to one of the judges what had happened, and he repeated his story to me. The voter had made his selections and pressed the "cast ballot" button on the machine. The machine spit out his smartcard, as it is supposed to do, but his summary screen remained, and it did not appear that his vote had been cast. So, he pushed the smartcard back in, and it came out saying that he had already voted. But, he was still in the screen that showed he was in the process of voting. The voter then pressed the "cast ballot" again, and an error message appeared on the screen that said that he needs to call a judge for assistance. The voter was very patient, but was clearly taking this very seriously, as one would expect. After discussing the details about what happened with him very carefully, I believed that there was a glitch with his machine, and that it was in an unexpected state after it spit out the smartcard. The question we had to figure out was whether or not his vote had been recorded. The machine said that there had been 145 votes cast. So, I suggested that we count the voter authority cards in the envelope attached to the machine. Since we were grouping them into bundles of 25 throughout the day, that was pretty easy, and we found that there were 146 authority cards. So, this meant that either his vote had not been counted, or that the count was off for some other reason. Considering that the count on that machine had been perfect all day, I thought that the most likely thing is that this glitch had caused his vote not to count. Unfortunately, because while this was going on, all the other voters had left, other election judges had taken down and put away the e-poll books, and we had no way to encode a smartcard for him. We were left with the possibility of having the voter vote on a provisional ballot, which is what he did. He was gracious, and understood our predicament.
The thing is, that I don't know for sure now if this voter's vote will be counted once or twice (or not at all if the board of election rejects his provisional ballot). In fact, the purpose of counting the voter authority cards is to check the counts on the machines hourly. What we had done was to use the number of cards to conclude something about whether a particular voter had voted, and that is not information that these cards can provide. Unfortunately, I believe there are an unimaginable number of problems that could crop up with these machines where we would not know for sure if a voter's vote had been recorded, and the machines provide no way to check on such questions. If we had paper ballots that were counted by optical scanners, this kind of situation could never occur.
Some conclusions now before I go off to bed. I believe that with proper care, diligent following of procedures, and no unexpected computer or power glitches, there is the possibility that an election in Maryland can run smoothly in a given precinct. We will never know if the results produced by the machines are an accurate tally of the votes that were cast. Did we get it right today in my precinct? It's very possible. The results were consistent with the expected outcome based on our demographics. The only surprise was that Republican Governor Ehrlich beat out Democratic Mayor O'Malley in the governor's race by about 14% of the vote. This was surprising because our precinct voted 2-1 or more for Democrats in all other races, and the precinct is known for having that ratio. Still, I think that the governor's race results are not unrealistic given conversations I've had with democrats who were going to vote for him. But here's the rub. We cannot audit our election. We cannot perform a recount. We cannot see how the votes were really counted. We had election observers in our precinct, and they had nothing to observe, except to write down the final tallies when the outcome was computed.
So, the election is finally over. In the morning, we'll probably have many results across the country and some places where the races are too close to call. In Maryland there are still over 180,000 absentee ballots that need to be counted. All around America, poll workers such as myself are going to sleep now, exhausted after working at least 16 hours as volunteers, putting in this day so that we can continue to enjoy the benefits of democracy. Now its time for partisans to put aside their differences and to figure out how to design better voting systems that can be independently audited, that are not too vulnerable to failures and human error, and that are completely transparent to voters in every way. In Maryland, the pendulum has swung far away from such systems, and I am hopeful and optimistic that we will switch to a precinct-count optical scan paper ballot system with random spot audits before the elections in 2008.
Monday, November 06, 2006
Advice to Voters on November 7
Well, tomorrow is Election Day, and 39% of voters will be casting their votes on electronic voting machines, and the vast majority of votes in the US will be counted by electronic equipment. While I do not believe that there is any reason to have confidence in the fully electronic paperless voting machines used in Maryland and in many other places, I still think that the only way to make sure your vote is not counted is not to vote. So, I suggest that everybody who is registered to vote, get out and vote! Here are my suggestions to voters:
Let's hope that this election runs as smoothly as possible. Hopefully, in 2008, the momentum will shift away from paperless voting, and we'll be able to verify the outcomes of our future elections.
- Check your voter registration card and sample ballot that you hopefully received in the mail to make sure you know where your polling place is. You would be surprised at how many people go to the wrong precinct. Show up during the non-rush hours if you can. The slowest times are probably between 10 a.m. and 3 p.m.
- Check your summary screens carefully. There have been reports in Florida and Texas of summary screens presenting different candidates from the ones chosen by the voters. Furthermore, there have been reports of certain races not appearing at all in the summary screens, despite voters casting votes. Finally, there are reports of e-voting machines in Virginia truncating the names of candidates on the summary screen. If you find any discrepancy, report it immediately to the poll workers and don't leave the polls without getting to a summary screen that represents exactly how you want to vote.
- Consider yourself to be a poll watcher during you time at the polls. Be vigilant of the behavior of other voters and the poll workers. Make sure nobody is loitering around any of the equipment. Feel free to ask the poll workers about security procedures. If you see any suspicious activity, report it immediately to the chief judge in the precinct and call the local board of elections.
- Sign up for Verified Voting's Election Transparency Project. They provide a toolkit for election observation.
- Read up on the equipment used in your precinct before you vote. There is an excellent resource for that on the EFF web site.
- If you experience any problem at the polls, call the Election Protection Hotline at (866) OUR-VOTE.
Let's hope that this election runs as smoothly as possible. Hopefully, in 2008, the momentum will shift away from paperless voting, and we'll be able to verify the outcomes of our future elections.
Tuesday, October 31, 2006
UConn VoTeR center report: Diebold AV-OS is vulnerable to serious attacks
A powerful new report was released yesterday about the Diebold AccuVote Optical Scan voting terminal (AV-OS). This is a thorough and independent security analysis of the machines that will be used in Connecticut to count votes on November 7. It is based on hands-on experimentation with the system, and is thus more like the Princeton study of the Accuvote TS than my team's earlier source code analysis. Like the Princeton team, the UConn researchers had no access to any internal documentation from the vendor, no source code, or any other information that would have given them an advantage over a random attacker who happened to get access to the machine. Everything they needed to know to perform the attacks was done by reverse engineering the system and observing its behavior. The evaluation was done as part of an evaluation on behalf of the state of Connecticut. They should be commended for not only allowing, but for requesting this study. The report published on their web site explains the attacks in enough detail to be convincing, but some low level details are reserved for another copy of the paper that is only available from the authors by request.
The authors show that "even if the memory card is sealed and pre-election testing is performed, one can carry out a devastating array of attacks against an election using only off-the-shelf equipment and without having ever to access the card physically or opening the AV-OS system box." The attacks presented in the paper include manipulating the count so that no votes for a particular candidate are counted, swapping votes for two candidates, and reporting the results incorrectly based on biases that are triggered under certain conditions.
The attacks in this paper are cleverly designed to make a compromised machine appear to work correctly when the system's audit reports are evaluated or when the machine is subjected to pre-election testing. Besides manipulation of the voting machine totals and reports, the authors explain how any voter can vote an arbitrary number of times using (get this), Post-it notes, if the voter is left unattended.
The attacks are possible because of serious security vulnerabilities that could have been prevented with proper security design. For example, if a serial cable is connected to the AV-OS, an attacker with a laptop can easily obtain a dump of the memory card contents. The dump is obtained in cleartext because the system performs no authentication of any computer that is connected on that port. The dump can be very useful for an attacker, for example, to reconstruct the password and audit records associated with the memory card. The communication between the voting machine and the GEMS tabulation system is unencrypted and unauthenticated. Instead, they use a CRC as a checksum. In our 2003 report, we identified this as a weakness in the Diebold Accuvote TS because CRCs are easily broken. The authors of the new report show how to spoof the GEMS server to the AV-OS, which forms the basis of many of their attacks.
The authors also validate some of the attacks presented earlier by Harri Hursti. They report that the executable code on the memory cards (!!) can be changed so that the counter values change.
Reading this report was a hair raising experience for me. Diebold has clearly not learned any of the lessons from our 2003 report, and it is startling to see that their optical scan ballot counter is as vulnerable to tampering, vote rigging, and incorrect tabulation as the DRE. The big difference, of course, is that optical scanners can be audited. Ballots counted by hand can be compared to the totals of the AV-OS, and machines tabulating incorrectly can be identified. This report highlights the dangers of trusting any component of a voting system that is software based, and the importance of widespread random audits. With optical scan technologies, we can have a secure election even if the systems cheat, due to the opportunity to audit and perform recounts. With DREs, we are left with whatever results the machines compute.
I strongly urge everyone to read this new report out of UConn.
The authors show that "even if the memory card is sealed and pre-election testing is performed, one can carry out a devastating array of attacks against an election using only off-the-shelf equipment and without having ever to access the card physically or opening the AV-OS system box." The attacks presented in the paper include manipulating the count so that no votes for a particular candidate are counted, swapping votes for two candidates, and reporting the results incorrectly based on biases that are triggered under certain conditions.
The attacks in this paper are cleverly designed to make a compromised machine appear to work correctly when the system's audit reports are evaluated or when the machine is subjected to pre-election testing. Besides manipulation of the voting machine totals and reports, the authors explain how any voter can vote an arbitrary number of times using (get this), Post-it notes, if the voter is left unattended.
The attacks are possible because of serious security vulnerabilities that could have been prevented with proper security design. For example, if a serial cable is connected to the AV-OS, an attacker with a laptop can easily obtain a dump of the memory card contents. The dump is obtained in cleartext because the system performs no authentication of any computer that is connected on that port. The dump can be very useful for an attacker, for example, to reconstruct the password and audit records associated with the memory card. The communication between the voting machine and the GEMS tabulation system is unencrypted and unauthenticated. Instead, they use a CRC as a checksum. In our 2003 report, we identified this as a weakness in the Diebold Accuvote TS because CRCs are easily broken. The authors of the new report show how to spoof the GEMS server to the AV-OS, which forms the basis of many of their attacks.
The authors also validate some of the attacks presented earlier by Harri Hursti. They report that the executable code on the memory cards (!!) can be changed so that the counter values change.
Reading this report was a hair raising experience for me. Diebold has clearly not learned any of the lessons from our 2003 report, and it is startling to see that their optical scan ballot counter is as vulnerable to tampering, vote rigging, and incorrect tabulation as the DRE. The big difference, of course, is that optical scanners can be audited. Ballots counted by hand can be compared to the totals of the AV-OS, and machines tabulating incorrectly can be identified. This report highlights the dangers of trusting any component of a voting system that is software based, and the importance of widespread random audits. With optical scan technologies, we can have a secure election even if the systems cheat, due to the opportunity to audit and perform recounts. With DREs, we are left with whatever results the machines compute.
I strongly urge everyone to read this new report out of UConn.
Saturday, October 28, 2006
A preview of Florida 2006
There is a story in today's Miami Herald about glitches in the voting machines during early voting. You can only imagine what Election Day will be like if these problems were encountered with a relatively small number of voters at the polls. While most of my comments about e-voting have to do with security threats that are invisible, I am also discouraged by the widespread technical problems that are not just noticeable, but screaming for attention.
Quoting from the article,
The article contains other specific examples of the voting machines getting the wrong information on the summary screen. Who knows if the votes that are recorded correspond to the actual choices or to the summary screen. The fact that they don't match is enough reason to conclude that this is an unacceptable way to vote.
Our EAC chairman stated, as I quoted in my previous blog entry, "The bottom line is that our nation's voting equipment, election results and election officials can and should be trusted." I don't see how such a statement can be made in light of the problems with the equipment that early voters in Florida are reporting.
I'm often wondering what it will take to get rid of electronic voting in this country. I used to think that it might take a computer glitch or malicious hacker to cause a ridiculous result, but now I'm thinking that maybe these machines will just fail so miserably that the public will not tolerate them.
Quoting from the article,
"He touched the screen for gubernatorial candidate Jim Davis, a Democrat, but the review screen repeatedly registered the Republican, Charlie Crist. That's exactly the kind of problem that sends conspiracy theorists into high gear -- especially in South Florida, where a history of problems at the polls have made voters particularly skittish."
The article contains other specific examples of the voting machines getting the wrong information on the summary screen. Who knows if the votes that are recorded correspond to the actual choices or to the summary screen. The fact that they don't match is enough reason to conclude that this is an unacceptable way to vote.
Our EAC chairman stated, as I quoted in my previous blog entry, "The bottom line is that our nation's voting equipment, election results and election officials can and should be trusted." I don't see how such a statement can be made in light of the problems with the equipment that early voters in Florida are reporting.
I'm often wondering what it will take to get rid of electronic voting in this country. I used to think that it might take a computer glitch or malicious hacker to cause a ridiculous result, but now I'm thinking that maybe these machines will just fail so miserably that the public will not tolerate them.
Friday, October 27, 2006
A response to EAC Chairman op-ed
In an opinion piece yesterday, EAC chairman Paul DeGregorio argues that academics who are criticizing electronic voting machines are running experiments "in the sterile environment of a laboratory" and that the "hype over hacking [can] discourage voters from participating in elections." He also states that the academic, computer scientists who demonstrate that we can "hack a voting machine" with "unlimited time and resources" are proving nothing. I believe that these comments are aimed more at Ed Felten than at me, but I feel compelled to respond, or at least, to blog about this here.
In my book, Brave New Ballot, I use an analogy about the way the FDA tests drugs to demonstrate how broken the voting system testing process is. This comment by Mr. DeGregorio brings that analogy to mind again. Say that a drug is released to the public and that several well regarded doctors test the drug in their labs and determine that for some reason, this drug is dangerous. Can you imagine someone in the government reacting to that by encouraging people to use the drug and stating that these academic scientists are testing the drug in an unrealistic setting?
But, by responding that way, in a sense, I'm taking the bait because Mr. DeGregorio has actually mischaracterized our position with respect to electronic voting. His op-ed article is based on the flawed assumption that we oppose DRE voting machines because they can be hacked in the lab. While I believe that these machines are indeed vulnerable to undetectable viruses, and while I believe that the demonstrations put forward at Princeton are realistic and frightening, the truth is that focusing a debate on that question is a distraction from our real reasons for opposing these voting machines.
These machines are software based. They require trust in the people who wrote the software. They require that the software be free of bugs, and they provide no means for auditing or checking the vote count. The system is the least transparent voting apparatus I can imagine. Why should we use voting systems that require trust in the manufacturer, trust in their software, and trust that there will never be physical access to the machines by an attacker when there are simple, and available voting technologies (e.g. machine or hand marked paper ballots with precinct optical scan and random audits) that do not require that level of trust?
Paul DeGregorio states in his article:
I have not seen any reason to trust our nation's voting equipment. Trusting it just because an election official says we should is not good enough for me. I want to trust a system because I don't believe it can be compromised, not because someone implies that not trusting it is not patriotic.
In my book, Brave New Ballot, I use an analogy about the way the FDA tests drugs to demonstrate how broken the voting system testing process is. This comment by Mr. DeGregorio brings that analogy to mind again. Say that a drug is released to the public and that several well regarded doctors test the drug in their labs and determine that for some reason, this drug is dangerous. Can you imagine someone in the government reacting to that by encouraging people to use the drug and stating that these academic scientists are testing the drug in an unrealistic setting?
But, by responding that way, in a sense, I'm taking the bait because Mr. DeGregorio has actually mischaracterized our position with respect to electronic voting. His op-ed article is based on the flawed assumption that we oppose DRE voting machines because they can be hacked in the lab. While I believe that these machines are indeed vulnerable to undetectable viruses, and while I believe that the demonstrations put forward at Princeton are realistic and frightening, the truth is that focusing a debate on that question is a distraction from our real reasons for opposing these voting machines.
These machines are software based. They require trust in the people who wrote the software. They require that the software be free of bugs, and they provide no means for auditing or checking the vote count. The system is the least transparent voting apparatus I can imagine. Why should we use voting systems that require trust in the manufacturer, trust in their software, and trust that there will never be physical access to the machines by an attacker when there are simple, and available voting technologies (e.g. machine or hand marked paper ballots with precinct optical scan and random audits) that do not require that level of trust?
Paul DeGregorio states in his article:
"The bottom line is that our nation's voting equipment, election results and election officials can and should be trusted. Election officials ... deserve constructive criticism and solutions, not baseless attacks and unfounded accusations about the equipment they use. Attacking their integrity and the system in broad strokes is even less productive."
I have not seen any reason to trust our nation's voting equipment. Trusting it just because an election official says we should is not good enough for me. I want to trust a system because I don't believe it can be compromised, not because someone implies that not trusting it is not patriotic.
Subscribe to:
Posts (Atom)