Iowa Voters

by Jerry Depew

Even the Department of Defense is fretting over its new email voting scheme, now involving only a handful of states including Iowa. One computer scientist told a reporter the new system is “far worse” than the plans that were scrapped in 2004:

Last month, an internal Defense Department review of its ballot system “found significant concerns surrounding the e-mailing of voting materials.'’ The review stated: “E-mail traffic can flow through equipment owned and operated by various governments, companies and individuals in many different countries. It is easily monitored, blocked and subject to tampering.'’

. . . .

David Wagner, an associate professor of computer science at the University of California-Berkeley, said the system of fax and e-mail was “far worse'’ from a security perspective than the Pentagon’s last attempt to solve this issue: an online voting system the Pentagon canceled in 2004 because it could not prevent electronic ballots from being altered or erased.

Iowa joined this “far worse” system with considerable fanfare last month.

JD

By Sean Flaherty

From VoteTrustUSA:

“In response to widespread concern about the reliability of electronic voting systems, legislation was introduced today by Senator Barbara Boxer (D-CA) and Senator Chris Dodd (D-CT) that would provide funding to jurisdictions for the printing of emergency paper ballots. Growing out of an effort initiated by Brad Friedman of BradBlog and Velvet Revolution, and endorsed by Common Cause, VotersUnite.org and numerous other election integrity and public interest groups, this emergency provision offers incentive for counties to provide paper ballots in the case of machine malfunction and for voters that prefer to vote on paper ballots.”

Rep. Rush Holt is introducing a companion bill in the House. The Senate version of the bil is S.3943, the House version is HR 6187.

See also a New York Times article on the emergency bill.

Congress adjourns Friday, so call today!

Click here for Senator Grassley’s contact info, click here for Senator Harkin’s.

For your Congressman, click on the name to get contact info:

Jim Nussle
Jim Leach
Leonard Boswell
Tom Latham
Steve King

Iowa’s voting machine expert and computers scientist Doug Jones testified this week in Colorado on the vulnerability of electronic voting machines.

Jones is a genuine expert witness. Like the old joke says, experts get more respect as they get farther away from home. Jones has been to Florida, Arizona, Panama, and Kazakhstan to examine elections. Meanwhile one supposed “expert” in the Marshall county auditor’s office told me last year, “I know about Professor Jones, but I just don’t agree with him.”

“A modest political investment in electing clean candidates to the key Secretary of State offices is an efficient way to protect the election in 2008.”

That’s the pitch at a website which has endorsed SoS candidates in seven states, including Iowa. They even claim to have raised over $8000 for Iowa’s candidate, Democrat Mike Mauro of Des Moines. That figure is up more than $1000 since I first saw the website a week ago, so business is pretty brisk, I’d say. Mauro is third highest beneficiary of their fundraising.

Here’s a bit from their endorsement of Mauro:

Mauro believes a photo ID requirement would make it harder for some citizens to vote and says that “life circumstance should not make a person a disenfranchised voter.” Iowa Governor Tom Vilsack has been a vocal supporter of Mauro’s candidacy, praising Mauro’s efforts to simplify the registration process and make voting more accessible. Mauro supports a voter verified paper trail.

The website is a project of Democratic activist James Rucker of California. The endorsed candidates are all Democrats, but the project is not authorized by any candidate.

Diebold has shrugged off the Princeton hack/virus by claiming it was perpetrated on an old system. So what about their new system? Is it any better? A computer scientist at Johns Hopkins University takes a Show Me attitude:

Diebold’s defense against our paper and against Princeton’s paper is that we looked at an old version of the system. Well, my response to that is, let us look at the new one! Every election administrator in the country who uses the Diebold machines should want Ed’s team and mine to perform a security assessment of their voting technology. If Diebold’s system is not vulnerable to Princeton’s virus, then wouldn’t they welcome such a public analysis? If they fear that the new version is vulnerable, then isn’t that a question that needs to be answered publicly?

Iowa has the newer Diebold touchscreens. Secretary Culver has bragged endlessly about his administration of the Help America Vote Act, which paid for the new touchscreens. So, yes, he is vulnerable to Rubin’s challenge.

Will he answer it? He’s in a close race for higher office. He could use the favorable attention that would come his way if he accepted and passed this challenge. But he’d be putting his future in Diebold’s hands in more ways than one. Would you do that? I’m betting that Culver will try to ignore this.

Email voting has one advantage (speed) but two disadvantages (loss of balllot secrecy and loss of security). How about a compromise method that retains some secrecy and gains some speed? Granted this idea is slower than the Iowa plan, but it is as secure as regular absentee ballots.

This idea is constructed from a conversation between Prof Doug Jones and Iowans for Voting Integrity president Carole Simmons and others. I was not present for the conversation.

The Plan:

Overseas voters can apply for absentee ballots by email and counties can send out ballots as pdf files. That speeds up the process.

Voters must then print the ballot pdf, mark it as any other paper ballot, and mail it back via the post office. That retains all the security of absentee ballots and is more secretive than email.

There is unlikely to be complete privacy here, however. This ballot can’t go through the scanner, so it has to be counted by real people. They might know the voter in question if only one or two pdf ballots arrive at a precinct.

But we have gained transmission security and some privacy, while giving up some speed.

Here is a thorough critique of a 2004 email voting plan. Hat tip to Prof Jones.

Did you know that once voting machines are publicly tested and are all set for the election they then get sent home with pollworkers for several days? It’s called a “sleepover” by critics of the practice. And it will still be permitted if the new Iowa rules proposed on Aug 30 go into effect unchanged.

It has become a well established fact that electronic voting equipment is hackable. Its been proven by computer scientists numerous times, most recently this week at Princeton.

Iowa and other states have reacted by slapping security tape on the most obviously vulnerable parts of the machine to “protect” against surreptitious entry. Then they continue the old practice of sending voting supplies home with the pollworkers.

Sleepovers were harmless when we began election mornings with an empty aluminum ballot box and a stack of paper ballots. Any pollworker could see that the box was empty and the ballots were still pristine.

Nowadays nary a pollworker can tell if the programming has been altered on an electronic ballot counting scanner or touchscreen. And what about the security tape? Here’s the observations of pollworker and computer scientist Avi Rubin from this week’s primary in Maryland:

Nothing happened today to change my opinion about the security of these systems, but I did have some eye opening experiences about the weaknesses of some of the physical security measures that are touted as providing the missing security. For example, I carefully studied the tamper tape that is used to guard the memory cards. In light of Hursti’s report, the security of the memory cards is critical. Well, I am 100% convinced that if the tamper tape had been peeled off and put back on, nobody except a very well trained professional would notice it. The tamper tape has a tiny version of the word “void” appear inside it after it has been removed and replaced, but it is very subtle. In fact, a couple of times, due to issues we had with the machines, the chief judge removed the tamper tape and then put it back. One time, it was to reboot a machine that was hanging when a voter was trying to vote. I looked at the tamper tape that was replaced and couldn’t tell the difference, and then it occurred to me that instead of rebooting, someone could mess with the memory card and replace the tape, and we wouldn’t have noticed. I asked if I could play with the tamper tape a bit, and they let me handle it. I believe I can now, with great effort and concentration, tell the difference between one that has been peeled off and one that has not. But, I did not see the judges using that kind of care every time they opened and closed them. As far as I’m concerned, the tamper tape does very little in the way of actual security, and that will be the case as long as it is used by lay poll workers, as opposed to CIA agents.

So Rubin has said the tape provides no security even at the polls. Think how much less good it does during a four day sleepover.

Tell the Secretary of State that we have outgrown sleepovers now that we have high tech vote manipulating devices instead of aluminum ballot boxes. Send comments on the Aug 30 rules to sos@sos.state.ia.us and put “Comments for Sandy Steinbach” in the subject line. Comment period ends Tuesday.

I haven’t covered it here at Iowavoters because it didn’t look like an Iowa story, but now it is. This week computer scientists at Princeton University released a paper and a video on how to hack a Diebold touchscreen vote manipulating device, the TS. In Iowa we have the successor model, the TSx.

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates.

On Wednesday Diebold responded:

“By any standard - academic or common sense - the study is unrealistic and inaccurate.”

Today University of Iowa computer scientist and voting machine expert Doug Jones rebutted Diebold:

Diebold owes the public a list of the third party security analyses that have found their system to be secure. None of the analyses I’m aware of drew positive conclusions.

All three of the above links go to short documents. You really can afford to follow all three if you are interested.

The new rules proposed last month fall short when it comes to touchscreens (DREs). Here are three specifics:

1. A few conscientious auditors bought printers that create voter-verifiable paper trails (see this map), but there is no Iowa law on how to use them. The new rules tell these auditors to stick their heads in the sand. They say the paper trail must be sealed up immediately after the election. It must be destroyed after a given period as other ballots are destroyed. It must never be looked at!!!

This probably means no auditor will hook up the printer after this. To do so would be to deceive the public into thinking the paper provided some backup. We ought to scrap this new rule and have a different one: that paper trails may be unofficial records but they can still be used in unofficial audits to make sure the machines are behaving. At least the auditors would know and that is something.

2. When touchscreens are tested before the election, they are often tested in “test mode” instead of “election mode”. They don’t behave the same in both modes, as I witnessed in the Pocahontas county test in May. Official testing should be done in the same mode that will be used on election day, not in the mode used at the state fair booth to “WOW” the public.

3. There is no requirement to report how many votes have been cast on paperless DREs and how many were cast on paper ballots that went into a scanner. There should be, so that we can know the size of the problem of paperless voting in Iowa.

You can comment on these rules until Tuesday. Tell the Secretary of State to a) make good use of the paper trails while we pound on the legislature to pass a paper trail requirement; b) test equipment in election mode; and c) report the extent of touchscreen use.

Comments go to sos@sos.state.ia.us. Put the name of Sandy Steinbach in the message or the subject line.

When the county election officers prepare their equipment they run test ballots through to see if the machines still can read and count. Since few counties actually do their own ballot and scanner configuration, this testing is the only way to know if its been done correctly by the subcontractor. If the testing is inadequate, you can get Pottawattamie’s problem. If you don’t have a voter-verified paper trail, you are screwed.

Thankfully the Secretary of State has now proposed rules for these test ballots. The rules require the testing of every touch screen being used, rather than just one per precinct. They also allow “Members of the public, working with a person designated by the commissioner, [to] provide a written test plan and test the operation of the DRE voting machines.”

You should support this aspect of the new rules during the public comment period which runs only until Tuesday. Contact Sandy Steinbach at sos@sos.state.ia.us to endorse thorough test ballot rules.

Iowa’s Secretary of State recently placed before us some new rules on the handling of our vote manipulating devices. One of the proposed rules says this: “Only a person who is authorized in writing by the commissioner to do so shall be permitted to attempt to repair malfunctioning voting equipment.”

This vague standard will not protect us from the roving technicians deployed by the vendors of our voting equipment. It is common for the vendors to hire temporary help at Monster.com, give them cursory training, send them out to polling places as trouble shooters, and charge counties a pretty price for their services. On Tuesday one such technician confessed his ignorance to a pollworker in Maryland, not knowing his confession would appear on the internet:

Throughout the early part of the day, there was a Diebold representative at our precinct. When I was setting up the poll books, he came over to “help”, and I ended up explaining to him why I had to hook the ethernet cables into a hub instead of directly into all the machines (not to mention the fact that there were not enough ports on the machines to do it that way). The next few times we had problems, the judges would call him over, and then he called me over to help. After a while, I asked him how long he had been working for Diebold because he didn’t seem to know anything about the equipment, and he said, “one day.” I said, “You mean they hired you yesterday?” And he replied, “yes, I had 6 hours of training yesterday. It was 80 people and 2 instructors, and none of us really knew what was going on.” I asked him how this was possible, and he replied, “I shouldn’t be telling you this, but it’s all money. They are too cheap to do this right. They should have a real tech person in each precinct, but that costs too much, so they go out and hire a bunch of contractors the day before the election, and they think that they can train us, but it’s too compressed.” Around 4 pm, he came and told me that he wasn’t doing any good there, and that he was too frustrated, and that he was going home. We didn’t see him again.

As you can see, these people should not have access to the equipment at the polls, even if they do have written permission. Since Iowa’s new rule is up for public comment, now is the time (comments close next Tuesday) to tell the SoS that written permission is too weak a standard. Only regular election personnel should be tweaking the gadgets once the pre-election testing has been completed.

Comment to Sandy Steinbach at sos@sos.state.ia.us

Updated Below–

Two years ago Pocahontas county auditor Margene Bunda vowed to buy a new voting system that had a paper trail when she spent her HAVA money. And she did, sort of.

We wound up with paper ballots AND vapor ballots (with no voter-verified paper trail) in every precinct. Hmmm.

Then we had our first election on the new gadgetry in June. The pollworkers were pretty obviously steering the voters to the paperless vote manipulating device called a touchscreen. When it was over, Pocahontas county had a high rate of paperless voting.

Today in our uncontested school board race the only paper ballot in sight hung on the front door. It was the sample ballot. Inside the poll only the touchscreen was available. A $4,000 computer to tally one uncontested race.

Meanwhile in Maryland, where they also use only paperless touchsreens, no polls were able to open in the whole of Montgomery county. Someone forgot to send all the pieces out to the polls, so the gadgets were unuseable until mid-morning. Here’s an eyewitness account.

Maryland could be our future, too.

Update: Here is another eyewitness report from a different Maryland county with different problems. It is by a computer scientist who is a poll worker.

Don’t forget that the school board election is Tuesday, September 12. I’ll be voting in the uncontested race in Laurens mainly to see if anything is different from the primary election. Will they still use those high priced touchscreens and scanners for an election with no contests? Hand counted paper ballots would be cheaper and faster.

Mother Jones magazine has an article called “Just Try Voting Here: 11 of America’s worst places to cast a ballot (or try)”. In the part called “Machine Meltdowns” they printed this error:

In Pottawattamie County, Iowa, machines suddenly began counting some candidates’ votes backward.

Now it is true that some voting machines are capable of counting backwards if the totals get high enough (over 32,000 votes, I think). But that is not what happened in our June primary in Pottawattamie County.

What really happened is that the machines didn’t know about ballot rotation. Rotation keeps the same candidate from being at the top of the list in every precinct. The machines were set up to read the top line and report the total for candidate A in every precinct even though candidate A was not actually in the top slot in all precincts.

This produced some eye-opening results and the machines were turned off before bedtime. Paper ballots were counted correctly the next day.

It’s a simple story. How could Mother Jones get it so wrong? Well, at least there is a paper trail, and they can correct their error.

The Daily Iowan has followed its skeptical coverage of the email ballot plan for military voters with an even more skeptical editorial.

. . .the e-mail program used for the voting, the Simple Mail Transfer Protocol, does not provide encryption or a way to authenticate security. For hackers, this could be an invitation to change people’s ballots or prevent their vote from reaching an auditor’s office in the United States. . . .

The issue of privacy is especially relevant for those serving in the military overseas. With their e-mails already monitored for content to ensure locations aren’t compromised, etc., what’s stopping the government from monitoring votes or a superior officer from discovering how a soldier of lower rank voted and then punishing him because of it. This scenario is obviously not one we’d like to see played out, but the unfortunate truth is that it could happen, and things far worse have happened within the military.