Iowa Voters

Thursday’s public test of the touchscreen terminals was similar to the the scanner test in that the same ten ballots were cast. As with the scanners, the computer was set for “Test Mode”.

I asked why they tested in “Test Mode” when the machine would not be used in test mode on election day. I might as well have asked why is the sky brighter in the daytime. Even the other citizen observer chimed in to help explain to me that this was only a test, so “Test Mode” was appropriate.

A bit later one tester volunteered to show me that a voter could not vote twice on the touchscreen because it would reject the voter’s card when he tried to use it the second time. She put the card back in the machine. It surprised her by accepting the card again and offering a new ballot. The other tester quickly realized that this unwanted development was made possible by the fact that they were in “Test Mode!”

I opined that it was now obvious that the machine behaves differently in its various modes and ought to be tested in “Election Mode”, but they just ignored my comment.

When the test was over, it was time to secure the memory card in the machine according to new SoS guidelines involving security tape. County auditor Bunda said that due to the Iowa wide run on security tape, it was on backorder. The voting machine would remain untaped for now.

Since I had to leave the test before the second set of touchscreens were put through their paces, I did not get to ask for my turn to participate in the test. I would have tried John Washburn’s advice by touching the corners and midpoints of the screen edges and would have tried touching the screen with unsteady hands.

Come to think of it, they were not testing any audio equipment. I could have blindfolded myself and tried to vote a test ballot. I wonder why that was not an option. The whole point of the Diebold TSX is that blind voters can vote unassisted by using the audio equipment.

Today they tested our new Diebold voting machines in Pocahontas. We have eleven precincts so eleven scanners and eleven touchscreens were arrayed in the Courthouse Assembly Room at 9:00 a.m. The auditor and four of her staff were present as were two observers.

Two staff members tested the scanner for one precinct while the other two tested the scanner for a different precinct. The auditor held the direction book and read off the directions for both teams. When they finished the scanners, they tested the touchscreens. In an hour they were done with those first two precincts. Assuming they pick up speed with practice, the work should have lasted much of the day. I stayed only until 10:45.

Ten ballots were entered for each test. All ten had been prepared by the local staff. Five of the ballots were exactly like each other. I was told this was required. (!) The next five were referred to as “randomly marked with overvotes and undervotes.” These five ballots allowed every candidate to get at least one vote, I think, and each write-in line was also voted once.

After the votes were cast a totals tape was run. They were not comparing the tape to the ballots they knew they had just cast until I asked about it. When the test was finished, the machine was reset for election day and a memory card was “locked” into the machine with a plastic security tag bearing a serial number.

As the testers moved on the next set of machines, I asked about submitting my own test ballots. Auditor Margene Bunda agreed that I was permitted to do so but she had to go back upstairs to her office to get some ballots. She brought 3 ballots (two Ds and one R) for the Dover precinct which was third in the testing sequence.

I marked the ballots so as to test the calibration of the equipment, following the advice of software tester John Washburn and remembering the Arizona calibration problems reported by professor Jones. One of the D ballots and the only R ballot were marked by me with a pencil. I scribbled all over the ballot except where the voter marks are supposed to go. Those ballots should record no votes when fed into the machine.

On the other D ballot I voted in a careless manner. I voted for Culver, erased it and voted for Fallon. I made a tiny pencil mark in the oval for Dusky Terry, but also made a good dark mark for Terry’s opponent Denise O’Brien. For one write in candidate I put a tiny arrow inside the oval but did not fill the oval in completely. For other candidates I made an X or a checkmark.

Then I left!! It was 10:45 and I was due in Laurens at 11:00. So I did not get to see the results of my three test ballots. Were my votes counted? The voter intent does not matter in Iowa. The mark must be readable by the machine.

Next: Testing the paperless touchscreens.

Democratic Party candidate for Secretary of State Mike Mauro last week released his fundraising report, as did all Iowa candidates. Mauro claimed nearly $100,000 cash on hand. He has no primary opponent.

“Republicans Chuck Allison and Robert Dopf reported $8,044 and $7,206, respectively,” according to a report at IowaPolitics.com

Meanwhile Dopf is quoted in the Sioux City Journal on his campaign to reign in absentee voting. To that end he accused Chet Culver of not attending to the issue:

“Under eight years of Chet Culver, I heard a lot about getting out the vote,” Dopf said. “I never once heard anything about the security or integrity of the process.”

That is an overstatement. Culver has recently advocated for paper ballots as insurance against paperless computer voting. That is the main problem in election integrity these days.

Governor Vilsack has issued a challenge to the Secretary of State candidates throughout the nation. He wants them to take a VOTES pledge (everything has to have an acronym these days).

VOTES goes like this:

To restore public confidence that voting is a right not a privilege, I believe:

*VERIFIABLE:* Every vote cast must be counted by a system that is auditable with a verifiable paper trail.

*OBJECTIVE*: Every election official must conduct their
responsibilities openly and objectively to restore public confidence.

*TOUGH*: Every law to prevent voter intimidation and fraud must be vigorously enforced.

*EQUAL*: Every citizen must have equal access to locations, adequate machines and well-trained election judges.

*SECURE*: Every voting machine must be secured during all aspects of voting to protect the integrity of the count.

You can also sign on to this campaign at Vilsack’s Heartland PAC website here.

Between now and the June primary your county must publicly test its voting machines. You can participate–and not just by watching.

You can call the county auditor for the schedule or ask your political party chair who should have been notified as well. Contact the Rs or the Ds where you live.

Iowa code chapter 52 provides for a test using “a pre-audited group of ballots” including a provision that “Any observer may submit an additional test group of ballots which, if so submitted, shall also be tested.”

Your test group is limited to ten ballots, but they may be the only independently created ballots in the test. It is common for officials to run canned tests provided for them by the same company that sold them the machine and then set up the ballot definition for the next election. In that case it is only the programmer testing himself.

“As near as I can tell election departments use no formal or written test procedures anywhere in the country,” according to Wisconsin software quality engineer John Washburn.

Independent tests are in order. See this post for some ideas on how to mark ballots that will reveal much about the calibration of ballot scanners (and what can happen when you don’t do a good job).

This pdf file contains 50 pages of explanation by Washburn on creating your own test deck of ballots. If that is too much to digest, try the one page Executive Summary.

The full document tells how to test touchscreens as well as how to fill in paper ballots that scanners read.

There are stories after every election of uncounted ballots and touchscreens that didn’t behave. Much of this could be prevented with good independent testing of the machinery before the election, according to Washburn.

With all the bad news about voting machines, its nice to have a laugh or two at their expense. So here’s two laughs:

An Arkansas official says tall voters complained about the touchscreen not recording their votes properly, so she took the machine out of service during the election. She complained to ES & S, the manufacturer, who CONFIRMED THE PROBLEM!!

In Luzerne County, Pennsylvania, voters used their new computers to make more write in votes than in the past. And they took the opportunity to diss the process:

“I’m disturbed by some of the swear words,” said Luzerne County Election Bureau Director Leonard Piazza.

“That’s disgusting. If that’s the kind of word you’re going to type into these machines, then you ought not to be bothering to vote because that’s an insult to the voting process,” Piazza said.

One wag has suggested that opponents of paperless voting machines should use the write-in feature to vote for “paper ballots” or “noproof notruth”.

Iowa has not ordered the sequestering of its new Diebold touchscreen election equipment, according to John Hedgecoth, Deputy Secretary of State for Operations. So InsideBayArea.com was in error when it made that claim last week:

Pennsylvania, California and Iowa are issuing emergency notices to local elections officials, generally telling them to “sequester” their Diebold touch screens and reprogram them with “trusted” software issued by the state capital.

But the part about trusted software (it always comes back to “trust” for some people) does apply to Iowa. Hedgecoth told an independent online newspaper called The New Standard that

his office instructed elections officials in the state’s 99 counties to upload a final version of the software into their machines just before Election Day and then seal the machine with the memory card in it. “So we are controlling both the software in the field with a final version that is decided upon by our elections division, and then we’re securing the memory card against tampering on Election Day,” he said.

Not only is the sequestering report wrong about Iowa, these two reports (Rubin and Klein) must also be wrong about how difficult it is to know just whose software will actually control the action on election day. I don’t know the track record of Klein, but Avi Rubin’s track record is good. If he is wrong. even I will need someone new to trust.

VERIFIED VOTING SPECIAL NEWSLETTER

A critical security vulnerability has been brought to light in Diebold touch screen voting machines, just as several primaries are about to occur.

In a May 12th New York Times article, Avi Rubin, a Professor at Johns Hopkins and Verified Voting advisory board member, said “I almost had a heart attack” when he understood the nature of the problem. Michael Shamos, a computer scientist and voting system examiner in Pennsylvania, was quoted in the same article, “It’s the most severe security flaw ever discovered in a voting system.” Indeed, several experts have urged that the technical details of the problem not be discussed because it is so easy to exploit. Such recommendations are extraordinary, coming from a community that values openness and transparency on computer security issues.

According to the report (available in redacted version at www.blackboxvoting.org) by computer expert Harri Hursti, the machines have insufficient protection to prevent malicious firmware from being installed. If bad firmware were installed, it would be difficult to detect, and it might be difficult to install new “clean” firmware. A wide variety of poll workers, shippers, technicians and so on, have physical access to voting machines at various times; any of these people might be able to use that access to install bad firmware.

Shockingly, news of the security flaw was topped off on Monday with news that both Diebold and the State of Maryland have been aware of the security vulnerability for at least two years.

Further adding to the scandal is the fact that the backdoor (or doors) were designed into the machines intentionally, against accepted design practice and, indeed, simple common sense, as Diebold spokesman David Bear admits in the same New York Times article. He goes on to say, “For there to be a problem here, you’re basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software,” he said. “I don’t believe these evil elections people exist.”

Diebold’s confidence in election officials is heartwarming. But what really matters is the confidence of the voting public. What are these same election officials to do when disgruntled candidates question the results of their elections? They can’t point to federal and state safeguards, which completely overlooked this glaring problem. In most places using Diebold touch screen machines, there will be no voter-verified paper records to recount. In those jurisdictions in particular, Diebold has left election officials with no method to defend themselves or their elections when questions arise.

It is easy for people to learn the wrong lesson from this incident: that we need more stringent computer security. More stringent security is desirable (depending on how much it costs), but won’t solve the real problem. The cause of the real problem is the use of paperless electronic voting, which is fatally flawed as a concept. Modern computer systems cannot be made sufficiently secure to handle all-electronic voting with secret ballots. Mistakes or tampering at any level, from the software to the circuits in the chips can change electronic votes, undetectably.

This incident is just one of many, involving products from many different manufacturers. It won’t be the last. Indeed, such problems will never end as long as paperless electronic voting is in place.

Suppose we had the best possible practices, such as thorough background checks of the ownership, management, and employees of vendors, meticulous and intrusive reviews of the design and manufacture of the equipment by truly independent experts, and so on – the kinds of measures used for regulation of gambling equipment. Even these measures would not eliminate programming errors and security holes. Even in a best-case scenario, there will always be people who can “hack” the machines (including the programmers who write the code in the first place). Voters will never know whether their votes were recorded and counted accurately.

Given the current state of technology, elections cannot be trustworthy unless there are voter-verified paper records of the votes and a significant portion of those paper records are manually counted to check the machine counts. We can’t guarantee that machines will always function correctly, but each voter can make sure that his or her vote has been correctly recorded on paper (preferably by the voter’s own hand).

Fortunately, twenty-seven states with over fifty percent of the U.S. population require voter-verified paper records. Some counties in those states may use the Diebold touch screen machines with “paper trail” printers. If they must use the machines, we would urge them in the strongest terms to be especially diligent in protecting and auditing those paper records – including manually counting more than the minimum number required by law.

Every jurisdiction with voter-verified paper records (paper ballots or paper audit trail printouts verified by the voter) should publicly carry out a manual audit, after the initial vote count is reported, with random selection of the areas to be counted. Voters should encourage their election officials to carry out such an audit – regardless of whether it is required by law in their state – in order to check the voting system for accuracy. Currently, more than twice as many jurisdictions offer voter-verified paper records than there are jurisdictions that require audits.

Whatever you do, don’t let these problems discourage you from voting. If you don’t vote, you can be sure that your vote won’t count. Instead, contact your elected officials and the candidates and make sure they understand that paperless electronic voting must be replaced with systems that provide a voter-verified paper record that is manually audited – our democracy depends upon it.

###

May 16, 2006
Verified Voting Foundation
1550 Bryant St., Suite 855
San Francisco, CA 94103
415-487-2255 telephone
info@verifiedvoting.org

The description of Stan Klein (in the post below) has been echoed by a pair of computer scientists, Avi Rubin and Ed Felten, at the website Freedom to Tinker:

compromised machines would be very difficult to detect or to repair. The normal procedure for installing software updates on the machines could not be trusted, because malicious code could cause that procedure to report success, without actually installing any updates. A technician who tried to update the machine’s software would be misled into thinking the update had been installed, when it actually had not.

On election day, malicious software could refuse to function, or it could silently miscount votes.

They conclude that the current crop of touchscreen voting machines ought to be scrapped.

Unfortunately for 18 Iowa counties, no other polling place equipment is handy. Sixteen of the counties have the now discredited Diebold stuff, while two of the counties have the yet to be discredited Ivotronic,sold by ES & S of Omaha.

They could go to paper and pencil for the June 6 primary. All that is needed is to hand out absentee ballots at the poll and count them with the other absentee ballots. Blind voters or others who need the special help of the “accessible” voting machines to vote secretly could do so at the courthouse on a single one of the vulnerable Diebolds. That should minimize the vulnerability.

I don’t expect this, however. More likely is a heroic effort to control access to the machines. But the descriptions of the problem by Klein and Rubin cited in this post and the previous post make any such effort look disingenuous.

This is how techie Stan Klein of Truevotemd.org explains the latest security hole in Diebold “voting” machines that was reported by Harry Hursti this week

I briefly looked at the report (redacted version) yesterday. Even without knowing all the details, on a scale of 1 to 10 this is a 100. I think there needs to be an immediate investigation on how the machines got to be designed this way, . . . and how the machines got through the certification process without fraud or bribery. The violations of the [federal voting system standards] are too extensive to overlook.

Essentially, Hursti found it is easy to install malicious code permanently on the machine at the most fundamental level that can defeat any attempt to secure the machine afterward.

So it is “easy’” and it is “permanent.” That is really all I need to know to jump to this conclusion: These so-called voting machines are not fit for use–even once. Iowa should order them scrapped right now and Diebold should be sued for fraud.

If you want more of Klein’s excellent explanation, keep reading. He breaks the computer’s brain into three sections:

There are three levels of code in any computer:
(1) the BIOS (that interfaces the hardware to the software, controls the system at startup, and is the basic level of machine functionality),
(2)the operating system (that provides essential services, including security, for the system), and
(3)the application (in this case voting functionality).

Then he zeros in on the BIOS, which means “basic input output system”:

The BIOS is what you are working with when a computer starts up and you get the option to press F2 or some other key and set things like the boot sequence, the system clock, the processor speed, and some hardware level functions, including some security functions.

So I learned something right there! I never heard of the BIOS before. Now I know what is happening with my son’s new Dell computer that won’t run Windows at startup. We get that screen that Stan describes. We must be dealing with the BIOS. Something is wrong that we can’t fix. Even the guy in India who answered the tech support call wasted hours of our time trying to figure out what to do.

Hursti showed that it is trivial to alter the Diebold BIOS (the most fundamental level in any computer) and to attack both the operating system and voting application as well. All it takes is to connect the right kind of device, to name the files according to Diebold’s naming scheme, and to get brief physical access (a minute or two) to the machine. The system will automatically install the malicious code, which can be permanent, can contain functionality to enable further attacks (such as vote reallocation), can protect itself from forensic investigation, and can defeat any security measures added at a higher level (such as hash code checking).

Let’s summarize: In a minute or two, new malicious code can be permanently installed. It can defeat any security measures attempted later and hide itself from forensic investigation.

If Stan is correct, conscientious election administrators will bury Diebold Election Systems. RIP

Believe it or not there really is a good, rocking tune about voting machines:

They lost my vote I made my choice
Does anybody care to hear my voice
They lost my vote was that the plan
Nobody, nobody nobody nobody knows that I took a stand

You can see artist Ellen Bukstel here and even get a free Mp3 of the song.

Let’s dedicate it to Diebold and all those election supervisors who don’t really know how Diebold’s equipment works but want to use it anyway.

The computer scientist:

Aviel Rubin, a professor of computer science at Johns Hopkins University, did the first in-depth analysis of the security flaws in the source code for Diebold touch-screen machines in 2003. After studying the latest problem, he said: “I almost had a heart attack. The implications of this are pretty astounding.”

The care-free election official:

We’re prepared for those types of problems,” said Deborah Hench, the registrar of voters in San Joaquin County, Calif.

The Diebold spokesman:

“For there to be a problem here, you’re basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software,” he said. “I don’t believe these evil elections people exist.”

Was Diebold’s spokesman David Bear born yesterday?

It all in the NY Times today.

Just as states are beginning to grasp the implications of the Hursti hack in a mock Florida election in December (Iowa has recently adopted “emergency” rules to protect against a Hursti hack in the upcoming primary), ANOTHER EMERGENCY has been declared in the last few days.

University of Iowa computer scientist and voting machine expert Doug Jones told a California newspaper,

“All of us who have heard the technical details of this are really shocked. It defies reason that anyone who works with security would tolerate this design.”

This time the experts are not telling us what the problem is in any detail. They just stick to metaphors as Jones did here:

“This one is worse than any of the others I’ve seen. It’s more fundamental. In the other ones, we’ve been arguing about the security of the locks on the front door, Now we find that there’s no back door. This is the kind of thing where if the states don’t get out in front of the hackers, there’s a real threat.”

Even the news reporter for that story withheld some of what he learned in writing the story, because “exploiting it is so simple and the tools for doing so are widely available.”

The story is about Diebold touchscreen machines. More than a thousand Iowa precincts now have these so-called voting machines.

The security hole was discovered by Blackboxvoting.org with the help of an intrepid election official in Nevada named Bruce Funk. Funk asked BBV and Security Innovation to examine his Diebold equipment when he became suspicious of it.

According to Insidebayarea.com, a California source on which this post is based (the link is not working for me but everyone else is using it, so maybe it will work for you)

Pennsylvania, California and Iowa are issuing emergency notices to local elections officials, generally telling them to “sequester” their Diebold touch screens and reprogram them with “trusted” software issued by the state capital.

I have asked the Iowa Secretary of State to confirm this.

The association of the various state election directors (NASED) has a voting systems board chaired by the Iowa election director, Sandy Steinbach. They are looking into this latest revelation, according to NASED chief Kevin Kennedy of Wisconsin. Just recently Steinbach issued a NASED memo regarding the previous Diebold security hole uncovered by Harry Hursti in December.

Iowa’s election director Sandy Steinbach is chair of the voting systems board for the National Association of State Election Directors (NASED). She has recently posted a directive to all states to guard their voting machine memory cards in a manner similar to the new Iowa and Florida regulations. See previous post here.

She warns all states to act promptly:

Failure to comply with this addendum negates the voting system’s status as a NASED-qualified voting system.

A response to this directive is expected from voting machine activists in a day or two. Steinbach is expected to be criticized for misrepresenting the facts and glossing over the problem in her memo. Go read it now so you will be ready for the coming argument. It is only a page and a half long. It is here.

Last year when the Iowa state senate passed SF 351 to require paper trails for voting, I was surprised that it passed unanimously. Someone explained that the Senators had seen their own electronic voting board break down in the middle of a vote and that had helped them see the need for the bill.

This spring the Iowa house followed suit and voted for paper trails. Again the vote was unanimous. Was it for the same reason?

In his last speech of the session, House speaker Chris Rants referred to the voting system when thanking the various House employees for their work:

Allysa makes sure I don’t miss all of your votes when your desk voting machines are broken – as they apparently often are.

They know the problems and they have the votes to fix them. But they can’t give up playing politics and actually pass the bill. So we, too, get to risk broken voting machines.

Democrats in the second, third and fifth districts all did better than my own fourth district platform committee on the question of unaudited and paperless voting. All of them at least mention “paper,” although the weak wording in the third district barely even manages that:

We support using paper ballots for recounts.

The fifth distirct has some familiar wording–I think I wrote it! I circulated a draft resolution to several counties and it included the phrase “human eyes.” Here is what survived in the fifth district’s platform:

We support: All computer systems used for voting in Iowa elections must produce a paper copy of the ballot that is verifiable by the voter before it is cast and that will be countable by human eyes.

The most ambitious wording comes from the second district. It calls for three improvements in voting:

We Support:
Voter-verified paper audit trail, mandatory random audits of at least two percent of precincts, and public disclosure of software used on voting equipment;

The committee working on the state platform has good planks and weak planks to work from. The main value of this debate is probably what takes place in the committee itself. Here’s hoping the people from the second and fifth districts understand their own platforms and can convince the other districts to adopt the stronger wording.

Thanks to Lynda Waddington for tracking down these platforms.