CIA agent: Beware mixing votes and electrons

An interesting story by Greg Gordon of McClatchy Newspapers on testimony by CIA agent Steven Stigall to the US Election Assistance Commission.

Basically what I'm saying, you heard the old adage, follow the money. Here I follow the vote. And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to get into the system and tamper with the vote count or make bad things happen...

One thing I was continuously reminded of in looking at this, if you look at that very bottom bullet there, I'm not so much looking at shenanigans on election day as I am all of the things that foreign actors try to do to try to effect the outcome of the election long before election day...

Any computer hooked up to the Internet either through a wire or through a wireless connection is a porthole for hackers. You heard that. I'm here to confirm it very simply...

Bottom line is all the countries I've looked at, yeah, about 36, 37 countries, all the scenarios by which they use electronic voting, they produce a paper ballot receipt, and it's part of the social contract that they have...

Now, again, what I said, traditionally in a traditional voting scheme, the greatest opportunity for fraud that we've seen in other countries is at the local level. When you introduce computers into the equation, you're moving that fraud upstream, and you're allowing a single point, electronic single-point failure. Meaning the potential for mischief can occur higher up the food chain electronically, much faster, and affect a lot more people in terms of the vote count than would be the case if fraud occurred at an individual level, where, again, you're talking about the classic scenario where ballot boxes get thrown in the river or fraudulent ballots get produced. Here it's electronic...

See also Michael Richardson's story for Boston Progressive Examiner

The more you check, the more errors you find.

Freedom to Tinker has a good post by Ed Felten on a discovery by the Humboldt County Election Transparency Project, as reported in Wired.

Election officials in a small county in California discovered by chance last week that the tabulation software they used to tally votes in this year's general election dropped 197 paper ballots from the totals at one precinct. The system's audit log also appears to have deleted any sign that the ballots had ever been recorded.

Yes, the vendor was Premier Election Solutions (formerly known as Diebold), and yes, it was (at least) a software bug that persisted over numerous versions of their system.

Apparently, Diebold/Premier optical scan systems aren't that much more trustworthy than their direct recording electronic (DRE) voting machines.

At least they had paper ballots to check against. Making them available on the Web is a brilliant policy stroke.

Auditing election results

Spotted in a ComputerWorld article by Grant Gross:

The groups, including Common Cause, Verified Voting and the Brennan Center for Justice, called on states to require post-election audits of electronic voting systems, including touch-screen voting machines and optical scan systems. The groups also released a set of recommendations (PDF format) for best practices in election audits...

Three auditable voting machines were patented before 1900, said Pamela Smith, president of Verified Voting. "So why are we here in 2008 promoting this concept?" she said...

"From a general standpoint post-election audits are an important aspect of sound post-election procedures that help to increase transparency and voter confidence levels while further verifying result accuracy or identifying issues that need resolution," said Michelle Shafer, vice president of communications and external affairs at Sequoia Voting Systems. "Post-election audits should not, however, be confined to electronic voting. Elections run with optical scan or paper ballots should be subject to the same post-election auditing."

Among the groups' recommendations for audit best practices: The public should be allowed to observe audits; the audits should be done by independent officials, not elections officials; and audits should use strict ballot chain-of-custody practices.

They don't add up!

Ed Felten has a new post on the discrepancies observed in vote totals from some of New Jersey's electronic voting machines in the 2008 presidental primary. See also this post.

Every time Ed (with the assistance of troubled voting officials) documents a new inconsistency in the machine reports, the vendor (Sequoia) and the New Jersey Secretary of State come up with a new explanation of how a harmless error could have crept in. Then he comes up with another clear error, and the explanation has to be made more elaborate to cover it, too.

It's not obvious how long this charade will have to continue until someone in authority insists on an independent investigation. Of course, it's "just votes," it's not like money was involved...

My past posts on evoting.

NJ election officials call for evoting investigation

A ComputerWorld article by Robert McMillan reports that a group representing county clerks in New Jersey has asked the state's attorney general to step in and investigate voting discrepancies observed in e-voting machines used in last month's presidential primary election.

"We want to know what the problems were and how do we fix them," Michael Dressler, the group's president, told IDG News Service.

Clerks from a half-dozen New Jersey counties reported discrepancies in the voting tallies generated by approximately 60 of the state's Sequoia Voting Systems AVC Advantage e-voting machines during last month's election. In most cases the discrepancy involved a one- or two-vote difference between the paper tape logged by the machine and the number of votes stored in the computer's memory cartridges.

Sequoia blamed the discrepancy on pollworker error and said the problem could be fixed with a software update, but state clerks wanted a third-party investigation.

Last Tuesday, Dressler's group asked Princeton computer science professor Edward Felten, a respected critic of e-voting systems, to examine the Sequoia machines. That plan was abandoned, however, after Sequoia threatened legal action against Felten and the county that offered to provide the systems, saying that such a review would violate the company's licensing agreement...


According to Joanne Rajoppi, the clerk with Union County New Jersey that had offered Felten the systems, Sequoia's explanation is not good enough. Her county has been using the Sequoia machines for about a decade, without incident. "We never had this problem in 10 years," she said. "Why did this problem never occur in another primary?"

Because only five or six counties double-checked their e-voting results, it's unclear how widespread the voting issues really were in New Jersey, Rajoppi said.

Updated to add: Ed Felten gives a very clear explanation of the nature and seriousness of the problem.

New Diebold flaw: Election result leaked.

Exposé by The Onion ("America's Finest News Source").

See also: these and this.

"Votes went uncounted and no one complained."

Even getting paper ballots right can be a challenge, especially if you aren't particularly motivated to count all the votes.

IEEE Spectrum Online's "The Risk Factor" has a terse summary of a longer article by the Los Angeles Times.

Six years ago, Los Angeles County began using a ballot for nonpartisan voters that had a little-noticed design flaw. Confusion over how to mark the ballot, critics say, caused tens of thousands of votes to go uncounted in three elections between 2002 and 2006.

At the time, election officials knew that some votes were not being counted but saw no need to make changes. After all, the missing votes went unnoticed in the three primary elections and no one complained.

Sarasota: What the GAO didn't check

Very informative post on Ed Felten's "Freedom to Tinker."

I have a very high respect in general for the Government Accountability Office's processes and reports, so it's disappointing to see them muff this one so badly.

A dangerous experiment/precedent

David Dill and Barbara Simons have written a worrying column about the Democratic Party using internet voting for delegates representing overseas voters. "Like whack-a-mole, internet voting proposals have reappeared in different guises in the U.S. for much of the past decade."

See also "A seductively bad idea," and "This time, internet voting is being deployed."

New Hampshire Recounts Requested

ComputerWorld has an article by Todd R. Weiss about recounts of both major-party primary ballots requested (and being paid for) by two minor candidates (Kucinich and Howard). Fortunately, there are paper ballots to be recounted.

On Wednesday, a volunteer with e-voting watchdog group Black Box Voting posted a note on the group's blog alleging that election results in the town of Sutton initially gave candidate Ron Paul zero votes but that the total was later corrected to 31 votes. The mistake was attributed to human error by someone who left the 31 votes off a final tally sheet, the blog stated.

David Bright, a national staff member for the Kucinich campaign, said that incident is one example of why a full recount is needed. Bright said the unreported votes initially were noticed by a Sutton family of five voters who insisted they had voted for Paul, even though the unofficial tally sheet showed zero votes.

Additionally, he said, the statewide vote percentages for primary front-runners Hillary Clinton and Barack Obama "never changed all night, no matter how many precincts came in," and that in all towns where ballots were hand-tallied, Obama won, while in all towns with votes counted by optical-scanning machines, Clinton won.

The issue, Bright said, is that elections have to be accurate, and that voters need to be able to trust the systems used. The problem, he said, is that far too many questions are being asked about the integrity, security and accuracy of the e-voting systems used across the nation.

"With all the talk about whether the election system is good enough or not, this is a good place to start," Bright said. "This has got to be done before November" when the general election will be held.

Kucinich is raising the issue, Bright said, even though he finished a distant fifth in the New Hampshire primary... The Kucinich campaign wants to be a "catalyst" for mandating more accurate elections and for making a process that can be trusted, Bright said. "Nobody else is standing up for it," he said. "Everybody else is brain-dead on this. This is a matter that's crucial to America. Everybody is talking about it, and nobody is doing anything about it." ...

Chris Riggall, a spokesman for Premier Election Solutions Inc. of Allen, Texas, the makers of the e-voting optical scanning machines used in New Hampshire, said his company would welcome a recount.

"We think that any post-election audit ... including a recount of that, naturally, is great because we feel it's going to confirm what the machine counts showed," Riggall said. "If that goes forward, we'd be very pleased to see that happen. We're extremely confident" of the previously reported results."

Ask the Expert: David Dill

Stanford's School of Engineering website has an "Ask the Expert" page posing to Prof. David Dill the question: "Will we be ready for electronic voting in 2008?"

Excerpts:

The role of computers in voting should be limited, because computers are fundamentally limited machines. Computers are so complex that we can’t tell whether they are working properly. Because of system errors and the possibility of tampering, we may never have a computerized voting system that we can deem completely trustworthy...

Imagine a voting system in which you walked into a booth and dictated your votes to a man hidden behind a curtain. The job of the man would be to write your votes down and put them into a ballot box. Without the ability to see the man (the curtain is not transparent) how could you be sure that he was writing down your votes accurately? How could you be sure that he really put your ballot into the ballot box so that it would be counted? All-electronic voting systems are just as lacking in transparency.

There is no way for the voter to verify that the vote was recorded properly or that it was stored for counting. The computer is just like the man behind the curtain. Software can programmed accidentally or intentionally to do the wrong thing. You can’t see what is happening inside the computer. It can even show you one vote while recording another...

WARNING:Your vote may be lost, destroyed, miscounted, wrongly attributed or hacked.

The cover story of today's New York Times Magazine is "Can You Count on These Machines?", by Clive Thompson. [free registration required to access]

It is a serious and non-sensationalist review of many of the issues surrounding direct-recording electronic (DRE) voting machines in American elections. The points made will be familiar to those who have read my earlier posts on evoting, but they are made in a very accessible manner that should be understandable by the average voter.

Some excerpts:

Jane Platten gestured, bleary-eyed, into the secure room filled with voting machines. It was 3 a.m. on Nov. 7, and she had been working for 22 hours straight. “I guess we’ve seen how technology can affect an election,” she said. The electronic voting machines in Cleveland were causing trouble again... She could only hope the machines had worked correctly...

In the last three election cycles, touch-screen machines have become one of the most mysterious and divisive elements in modern electoral politics. Introduced after the 2000 hanging-chad debacle, the machines were originally intended to add clarity to election results. But in hundreds of instances, the result has been precisely the opposite: they fail unpredictably, and in extremely strange ways; voters report that their choices “flip” from one candidate to another before their eyes; machines crash or begin to count backward; votes simply vanish...

It’s difficult to say how often votes have genuinely gone astray...

So what scares election observers is this: What happens if the next presidential election is extremely close and decided by a handful of votes cast on machines that crashed? Will voters accept a presidency decided by ballots that weren’t backed up on paper and existed only on a computer drive? And what if they don’t? ...

The 2000 election illustrated the cardinal rule of voting systems: if they produce ambiguous results, they are doomed to suspicion. The election is never settled in the mind of the public...

The upshot is a regulatory environment in which, effectively, no one assumes final responsibility for whether the machines function reliably. The vendors point to the federal and state governments, the federal agency points to the states, the states rely on the federal testing lab and the local officials are frequently hapless...

And on and on it goes. ES&S and Sarasota correctly point out that Jennings has no proof that a bug exists. Jennings correctly points out that her opponents have no proof a bug doesn’t exist. This is the ultimate political legacy of touch-screen voting machines and the privatization of voting machinery generally. When invisible, secretive software runs an election, it allows for endless mistrust and muttered accusations of conspiracy. The inscrutability of the software — combined with touch-screen machines’ well-documented history of weird behavior — allows critics to level almost any accusation against the machines and have it sound plausible...

The deep, ongoing consternation over touch-screen machines stems from something new: the unpredictability of computers. Computers do not merely produce errors; they produce errors of unforeseeable magnitude. Will people trust a system when they never know how big or small its next failure will be? ...

In the real world of those who conduct and observe voting machines, the realistic threat isn’t conspiracy. It’s unreliability, incompetence and sheer error...

That, in a nutshell, is what people crave in the highly partisan arena of modern American politics: an election that can be extremely close and yet regarded by all as fair. Not only must the losing candidate believe in the loss; the public has to believe in it, too...

Public crises of confidence in voting machines used to come along rarely, every few decades. But now every single election cycle seems to provoke a crisis, a thirst for a new technological fix. The troubles of voting machines may subside as optical scanning comes in, but they’re unlikely to ever go away.

Security and Privacy in State Voter Registraton Databases

The Computer Science and Telecommunications Board of the National Academies is sponsoring a Study Committee on State Voter Registration Databases (VRDB). I was on a panel discussing Security and Privacy at their second public workshop.

The questions we were asked in advance to address were:

• What principles should guide security decisions? How might these apply to voter registration databases?
• What privacy considerations need to be taken into account?
• What standard, adversarial test could be applied against each state's database? What would you include in such a test?

My thoughts on these topics are summarized in my slides. The presentations by my co-panelists Peter Neumann and Bradley A. Malin are also quite informative.

All tested DRE voting machines fail in Ohio study

The Ohio Secretary of State, Jennifer Brunner, has released a collection of reports from the experts she commissioned to study each kind of direct recording electronic (DRE) voting machine used in Ohio. All failed miserably. This is quite consistent with the results of the similar study in California.

The manufacturers, of course, insist that all problems will be solved by the next election. Somehow, they are going to become competent overnight.

Avi Rubin's blog has an excellent summary, which I can't improve on.

Updated to add: Matt Blaze, one of the principals in the study, also has an interesting post.

EVoting: California's Top to Bottom Review

Debra Bowen, the California Secretary of State, commissioned a Top to Bottom Review (TTBR) of electronic voting systems already certified for use in California. The results were not encouraging; COMPUTERWORLD has a good summary by Robert McMillan.

Researchers commissioned by the state of California have found security issues in every electronic voting system they tested.

If you'd like to dig a little deeper, the Overview of Red Team Reports by Matt Bishop is a good place to start. This report is also an excellent example of how to conduct, and to report on, a "red team" test.

For this TTBR, the specific goals of each system are to record, tabulate, tally, and report votes correctly and to prevent critical election data and system audit data from being altered without authorization. The threats were taken to be both insiders (those with complete knowledge of the system and various degrees of access to the system) and outsiders (those with limited access to the systems)...

The testers did not evaluate the likelihood of any attack being feasible. Instead, they described the conditions necessary for an attacker to succeed...

It is commonly accepted that no computer or computer-based system, called an information technology system, can be made completely secure. It is also commonly accepted that the managers of an information technology system have a responsibility to develop sufficient controls in and around a system to the point that continued operation of the system meets the requirements of the organization...

The California Secretary of State must certify any electronic voting system before it can be used in California elections. One of the requirements is that the system be federally certified to meet the 2002 Voting System Standards (VSS). Independent testing authorities (ITAs) test the electronic voting system to certify compliance with these standards. All three systems in this study were so certified...

The major problem with this study was time. Although the study did not start until mid-June, the end date was set at July 20, and the Secretary of State stated that under no circumstances would it be extended. This left approximately 5 weeks to examine the three systems...

The short time allocated to this study has several implications. The key one is that the results presented in this study should be seen as a “lower bound”; all team members felt that they lacked sufficient time to conduct a thorough examination, and consequently may have missed other serious vulnerabilities...

Despite these problems, the red team testing was successful, in that it provided results that are reproducible and speak to the vulnerability of all three systems tested...

The red teams demonstrated that the security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results.

Electronic voting systems are critical to the successful conduct of elections in those jurisdictions where they are used. Given the importance of voting and elections in the governing of the State of California, one may safely say that these systems are “mission critical”. Such systems need to be of the highest assurance in order to ensure they perform as required. Techniques for developing such systems are well known but, sadly, not widely used. Vendors would do well to adopt them for electronic voting systems.

Similarly, many components of voting systems run on commercial operating systems. A non-secure underlying operating system offers attackers avenues into the software that the operating system runs, in this case the vendors’ election management systems. Hence vendors must ensure that whatever underlying operating system their software runs on meets the security requirements that their software meets.

A key idea underlying high assurance techniques is that security should be part of the design and implementation of the system and not added on “after the fact”. The reasons for this need not be repeated here. Many of the components tested appear to have been hardened by taking their basic design and adding security features. As a result, the testers were able to exploit inconsistencies between the protective mechanisms and that which they were intended to protect.

Vendors should assume the components of the voting system will be used in untrusted environments in which they cannot be adequately monitored. Thus, their physical protections should be “hardened” to withstand determined attack. The added barrier that such mechanisms create will hamper the ability of attackers to obtain illicit access to the components even if lapses in procedural mechanisms allow them unobserved or unfettered access to the systems.

Of equal importance is the ability to detect when such attacks occur. Again, this speaks to security mechanisms as being “layered”; one must implement mechanisms to prevent compromise, and then add mechanisms (which may be the same as the previous ones) to enable observers to detect compromise should the preventative mechanisms fail. See for example Elisabeth Sullivan’s excellent discussion in [9], chapters 18 and 19.

Because detection requires that people take some action, the security mechanisms require that specific procedures be designed in order to ensure that failure of the preventative mechanisms, and success of the detection mechanisms, are properly handled. An excellent example comes from the realm of physical security. A common belief is that tamperproof tape is sufficient to detect the violation of preventative mechanisms; for example, sealing a bay with tamperproof tape enables one to detect that the bay has been opened. Two problems arise. First, there must be a procedure to check the tamperproof tape. Second, an attacker can often acquire the same tape as is used to protect the systems. The attacker simply removes the tape showing evidence of the tampering, and replaces it with her own tape. Unless the original tamperproof tape has unique serial numbers and the observers check those serial numbers, the detection mechanism is defeated. Unless the customers follow an appropriate procedure (here, checking that the tape is intact and the intact tape has the right serial numbers), the security mechanism is easily defeated.

Finally, the red teams wish again to emphasize the inadequacy of “security through obscurity” as a key defensive mechanism. No security mechanism should ever depend on secrecy. At best, secrecy should be a single security mechanism in a layer of defensive security mechanisms. In this study, when vendors failed to provide software that would have helped the red teams expedite the testing process, the failure became a motivation for the red teams to construct equivalent software to carry out the attacks. The only thing lost was time that could have been used for testing. Given the constraints under which the red teams operated, a well-financed team of attackers, with plenty of time to plan attacks between elections, could do considerably better.
[all emphasis in original]

Perhaps we should add "elections" to Bismarck's famous remark about laws and sausages.

Report slams U.K. e-voting trials

Computerworld has a report by Jeremy Kirk on the problems with e-voting in the United Kingdom.

The U.K.'s trial of e-voting and e-counting technologies during last month's local elections resulted in crashed computers and technicians scratching their heads while posing new concerns about the systems' security and reliability, a new report has concluded.

In one area of England, a manual recount performed after e-counting equipment was abandoned because of delays turned up a raft of uncounted votes, said Jason Kitcat, e-voting coordinator for the Open Rights Group, which deployed observers to polling sites in England and Scotland.

The group, which has been critical of e-voting and e-counting, has submitted its 64-page report (format) to the U.K. Electoral Commission, which will publish its own report on the trials on Aug. 3...

E-counting scanners proved finicky due to incorrect paper sizes, scanner sensitivity and trouble in handling low-quality perforations on ballots. The most curious error in e-counting occurred in a ward in Breckland, England, where voters were given two ballots: one each for district council and parish elections. Officials tried an electronic count, but came up with far fewer district ballots than parish ballots when the two counts should be roughly the same, Kitcat said. A manual recount turned up about 56% more district council ballots.

"We haven't been given an explanation by the election official or suppliers," Kitcat said.

California voting machines: Good news.

Debra Bowen, California Secretary of State--responsible for the conduct of elections--has just announced a top-to-bottom review of voting systems certified for use in California. Some of the top experts in the field have been recruited to lead the effort, which will cost about $1.8 million (compared to the $450 million spent or set aside to upgrade California’s voting equipment over the past several years). The review will be complete in time to ensure the use of the reviewed systems in the 2008 elections.

More states should be doing this, until the Federal government steps up and conducts comparable studies for all systems nationally.

FAQ.

Not bedtime reading

Avi Rubin has posted a summary reaction to the expert panel report on their analysis of the source code supposedly used in the voting machines that lost 18,000 votes in Sarasota County, Florida.

His bottom line:

I would not suggest reading this report before bed, because it is quite scary. To me, the Princeton work, coupled with this FSU report should serve as wake-up calls to the elections community that these sorts of studies need to take place before voting systems are deployed, not after an election has proven problematic. Studies such as the FSU one should be done as part of the certification process. This report clearly uncovered problems that would have been show stoppers, and yet, relatively little attention has been paid to this.

New GAO Report on Electronic Voting

The Government Accountability Office (the investigative arm of Congress) has released a new report, All Levels of Government Are Needed to Address Electronic Voting System Challenges.

COMPUTERWORLD has published a trenchant commentary by Brad Friedman. Excerpts:

The report covers the lack of security and reliability standards and testing for all electronic voting systems across the country at the federal, state and local levels. It reveals a system of democracy in utter disarray in the wake of the ill-conceived and ill-administered Help America Vote Act (HAVA) of 2002 and the technological nightmare now facing voting jurisdictions across the United States...

We concluded in 2005 that these concerns have caused problems with recent elections, resulting in the loss and miscount of votes.

Doesn't get much clearer than that, does it...

As well, Hite's report underlined yet again that the e-voting activists once criticized as "conspiracy theorists" have been right all along. It's hard for someone who's been following the trail for years not to break into a chorus of "I told you so," dedicated to the Republicans, Elections Officials, Voting Machine Companies (and a few utterly reckless and reprehensible Democrats to boot) who simply refused to handle the truth...

[E]lectronic voting systems are an undeniably critical link in the overall election chain. While this link alone cannot make an election, it can break one. The problems that some jurisdictions have experienced and the serious concerns that have surfaced highlight the potential for continuing difficulties in upcoming national elections if these challenges are not effectively addressed.

Note the word "effectively" in the above paragraph. Election Reform legislation is not enough; if it's not effective, it's meaningless and sends democracy back over the same cliff over which the process pitched in Florida 2000, Ohio 2004 and Sarasota 2006. Without a DRE ban -- as in Holt's bill if it's not amended -- there's nothing to stop us from heading off
that same cliff all over again in 2008.

Avi Rubin on Rep. Holt's H.R. 811

Avi has a thoughtful post on the most recent version of Representative Rush Holt's bill to require voter-verified paper ballots.

In a nutshell, "passage of the Holt bill would be the single most positive development in this country this decade to ensure the security, integrity and verifiability of elections."

Coming from one of the best-credentialed and most responsible critics of many of today's electronic voting systems, this endorsement carries a lot of weight with me.