Iowa Voters

In a late-night press conference convened just before the Friday midnight deadline for voting system changes before next spring’s primary election, Secretary of State Debra Bowen announced widespread decertification of most types of electronic voting equipment used in California, including the Diebold TSx, which is also widely used in Iowa.

The withdrawal of certification for the equipment was the culmination of a complete top-to-bottom review of all election systems used in California. In her campaign for Secretary of State last fall, Ms Bowen, a former state senator, had promised a thorough study of the state’s voting systems, which she set in motion immediately upon taking office last January. The review consisted of four separate studies encompassing all aspects of the system: security, accessibility, system software, and a review of official documents related to the equipment.

“Secretary of State Bowen took the only responsible course of action in light of the severity of the study’s findings,” said Robert Ferraro, a Co-Director of SAVE Our Votes, a grass-roots citizens’ group working for Secure, Accessible, Verifiable Elections in Maryland.

The decertifications will prohibit the use of most Direct-Recording Electronic (DRE) voting equipment, often referred to as touch-screen machines, except for those used in early voting and one in each precinct to provide accessibility for voters with disabilities. These DREs have been conditionally reapproved under stringent conditions for their use, including a requirement to handcount all of the voter-verified paper print-outs from the machines instead of using the electronic votes tallied by the machine. California already requires each voting machine to provide a voterverified paper record of each vote for use in audits and recounts of election results. A paper trail bill also passed in Iowa this spring.

While many of the reports’ findings reconfirm vulnerabilities revealed in previous studies, some shocked even the computer experts who performed those earlier reviews. Dr. Aviel Rubin, a computer security expert at Johns Hopkins University who scrutinized voting source code from Diebold Election Systems, Inc. in 2003 commented on his blog, “In all cases, the analysts were able to rewrite the firmware on the machines. This means that an attacker could change every aspect of the behavior of the voting systems….There are many other examples of attack that are much more serious than what I expected from this report — and I was expecting a lot.”

The full reports from California are posted.

This post adapted from a press release by Robert Ferraro.

Howard Stanislevic, a computer network engineer in NYC who has been studying the intersection of elections and computers, sees a clear path ahead despite the rancor among election activists over current legislation. At his blog he has proposed these five steps, only one of which is currently met by Iowa:

1. Publicly disclose and audit all Ballot Definition Programming before each election. Follow up with rigorous Logic & Accuracy tests.

2. Aggregate precinct totals transparently and independently after posting and witnessing them at the precincts on election night.

I’m not sure how transparent Iowa’s process of tallying is, but I know precinct totals are not posted at my precinct.

3. Audit within-precinct tallies (using paper and hand-to-eye counts) with a statistically accurate, fair and efficient (SAFE) method.

You’ll be hearing more from me about these SAFE audits.

4. Follow up on any discrepancies found until correct outcomes can be confirmed with very high certainty (prior to certification of course). Ninety-nine percent has been shown to be feasible for all recent federal elections without excessive administrative burden.

5. Have plenty of paper ballots on hand in case of DRE failures (or ban the DREs altogether until someone can get them right)! The 9.2% failure rate allowed by the federal voting system standards makes DREs an unacceptable technology for running elections, especially when other methods are used in other jurisdictions within the same State.

That last one should be already met by Iowa. It’s in the code anyway.

Notice Howard can guarantee the election was properly decided even without examining source code. This avoids the problem of trade secret software, and the problem of trying to spot every possible error in the software even if it is made public.

Howard goes on to compare these five steps to current legislation (HR 811, the Holt bill). He conditionally endorses the bill even though it falls short of his 5 steps.

The Iowa House has passed the paper trail bill, one which leads eventually to the end of the trail for touchscreen DREs in this state. It’s a victory for good government and citizen activism.

Iowa’s bill includes $2 million to bail counties out of the mess they wandered into when they bought paperless touchscreen voting machines, known in the trade as Direct Recording Electronics (DREs). Auditors who have them must either replace them now or buy paper trail printers to augment them. They have until June 15 to make their choice. You have about half that time to make your opinion known to your auditor if you want to have an impact.

When the current touchscreens wear out or embarrass their owners by mis-performing (see North Carolina, Cuyahoga county, Sarasota, etc.), auditors are not allowed to buy anymore of them. Iowa has now prohibited both punchcards and DREs. We will have only optically scanned ballots in the sweet bye and bye.

Thanks to State Representative Mary Gaskill who led this effort in the House and to Senator Jack Kibbie whose sound bite on WOI radio in 2005 kicked off the campaign in Iowa.

Kibbie had pointed to the unresolved race in North Carolina in 2004 in which paperless voting machines lost 4,000 votes. He introduced a bill to get paper trails for Iowa. Auditors and county election directors resisted, sending Dawn Williams, Mary Mosiman and Linda Langenberg to testify against the bill. Feeling the resistance, Kibbie told his constituents to write letters to the editors of the DM Register.

During that session the Senate had its own troubles with its electronic voting board and got religion. They passed Kibbie’s bill unanimously. It stalled in the House under the influence of Langenberg’s own state representative who was chair of the relevant committee. Meanwhile Iowa auditors spent their HAVA money, buying hundreds of paperless voting gadgets.

Simultaneously Iowans for Voting Integrity was born. Their leaders spoke to State Representative Mary Gaskill, informing her that Iowa had its own expert on electronic voting in UI professor Doug Jones. Gaskill was in the minority in Des Moines, but she acted anyway, scheduling Jones for an informal discussion of paper trails at the statehouse in March 2006. Some legislators attended.

The House finally took up the bill but only because the majority Republicans hoped to use it as a way to also get tougher voter ID laws. The gambit failed. Vilsack wasn’t going to sign any such deal.

Meanwhile the news was grim for DREs. A string of studies from Blackbox Voting, Princeton University, UConn, NYU’s Brennan Center, GAO, Congressional Research Service coupled with negative news coverage from Cleveland, Chicago, Florida, California, New York, Colorado, New Jersey and elsewhere exposed the weaknesses and poor performance of the DRE technology. It was all topped off by two spectacular voting machine failures, one in Council Bluffs and the other in Florida. The Iowa fiasco in June was salvaged because there was a paper trail to recount. The Florida Congressional race in November probably sent the wrong candidate to Congress because there was no paper trail for the 18,000 missing votes.

That same November election brought paper ballot user Mike Mauro in as SoS and a Democratic majority in both parts of the legislature. The stage was set.

Mauro moved first, inexplicably appointing paper trail opponent Langenberg to be his election director. Had he abandoned his campaign promise? Maybe he had merely co-opted the auditors by bringing the critics into the tent. At any rate, he got the job done. Support for the paper trail bill remained high in the legislature and new bills were introduced.

At least one was a trick! It required printers but gave the printed ballot no role! Someone (we don’t know who it was) had tried to fool the legislators with a pretend paper trail.
A new point man for IVI, Sean Flaherty, began contacting legislators at every stage of the process.

The current bill accomodates those unrepentent auditors who won’t recognize the perils of DREs or won’t admit they erred. They can put more of our money into those gadgets via the paper trail printer contraptions. But there it ends. No more paperless equipment can be purchased.

That way we always will have something to audit. We still need audits. All these ballots are counted by computerized scanners and thus subject to hacks and errors galore. After the election there should be a system for examining ballots by hand to verify the machine’s work.

Federal legislation is pending that addresses this. Perhaps Gaskill will also address it next year. Encourage her.

This was too good to pass over, even though it is not about Iowa. New voting machines in France were condemned following Sunday’s vote because they caused long lines (up to two hours). Here’s the best quip:

Philippe de Villiers, a nationalist Catholic candidate in the election, called it a “cheating machine” as he voted in his home town of Herbiers in western France.

I think this election had only one race. I just read in the Christian Science Monitor about the usual French voting method (No Hanging Chads) using an envelope and preprinted slips of paper. Voters get an envelope and can select as many paper slips as they want. Each slip has one candidate’s name on it. Then in the voting booth, they select one slip to put in the envelope. They drop the envelope in the ballot box as they leave the poll.

I guess that was too low tech for the 21st century. Gotta have expensive touchscreens!

It is possible to “steal all the votes in [Clayton or Fayette] county without being detected” according to a “respected computer scientist who is familiar with the inner workings of the ES&S iVotronic electronic voting system.” The iVotronic is the only voting machine available in Clayton and Fayette counties. It is also used by some voters in Emmet, Calhoun, Jasper, Lee, Johnson, and Clinton counties.

The charge of insecure voting machines has been made to the federal Election Assistance Commission following a study of the machines in Florida. These machines were responsible for the 18.000 missing votes in Sarasota’s Congressional race last November. The news of this vulnerability is being withheld by the EAC but has been leaked to VotersUnite.org. The anonymous computer scientist concludes

One consequence for advocates is that this is further evidence that it’s not just one vendor who has serious security problems; it’s a second instance this sort of virus vulnerability. Don’t let anyone tell you that if we just “kick Diebold off the island” all of the security problems will go away.

The scientist warns local officials,

Don’t use the iVotronic in major elections until the security problems have been verified to be fixed. . . . Because making these kinds of changes to a voting system and getting approval from testing labs and certification authorities is a lengthy process, if we are to fix this problem before the 2008 primary, it is important to get this process underway immediately.

I have a better idea. Switch to paper ballots.

Well, maybe they expect only Michigan Dems will have opinions about what their state party does, but they already heard from me. Want to chip in? What else you got to do?

The Michigan Democrats want to allow internet voting in their Presidential primary again this year and have asked for public comment by April 27.

You can read the plan here and comment by fax (517-371-2056) or mail (606 Townsend, Lansing, MI 48933) or by email to jmoon@michigandems.com

You’ll look in vain (see page 6) for any explanation of why they think internet voting is secure. They may not even know it’s risky.

So that was my public comment and it’s one you can pose as easily: “Please tell us what computer scientists have defended the security of your internet voting scheme. If you can’t mount a knowledgable case for it, then don’t do it. It sets the stage for insecure internet voting in the general election. Don’t set a bad example.”

See how easy that is? By April 27 you could probably write something even better. (Hat tip to JMC in NC)

Happy Easter. Let’s talk about Easter eggs.

Not the holiday Easter eggs, but the computer software easter eggs–hidden bits of programming that open up only when certain secret commands are given. They are a threat to voting machines.

That’s one reason machines are supposedly “tested and tested and tested” –to see if the code works correctly and to hunt for easter eggs. Testing might find hidden code, but it can’t guarantee no hidden code went undetected.

So we have asked for open source software, or at least for the current software to be made public. Even if the code is open today, a future change of code could introduce new problems. Most election officials and poll watchers can’t tell the status of the code anyway.

There’s a better solution to this threat: audits

We can’t decipher code but we could easily audit the paper ballots. A good audit could make us 99% certain that the election was correctly called.

We just need to let statisticians show us how many ballots to hand count in each case. The number varies with the number of precincts, their sizes, and the margin of victory.

Relying on software to determine elections has been condemned by the Technical Guidelines Development Committee of the National Institute for Standards and Technology. It’s time to turn to audits.

Sarasota was warned. Sarasota did nothing. Sarasota’s race for Congress came up 18,000 votes short. The wrong person went to represent Sarasota in Washington, D.C.

The loser filed suit over the voting machines. The state investigated. Sarasota did not mention the warning. The voting machine company (ES & S) did not mention the warning. The loser lost again. The voting machines were exonerated in the press.

The loser’s attorneys kept digging. On a website in North Carolina they found the warning memo. It said the touchscreens were erratic and slow. It said the voter may have to hold a finger on the screen for several seconds in order for the vote to register. It said to fix this problem before the election.

Sarasota didn’t do it, nor did they warn voters, nor did they admit they knew this when the 18,000 votes were missing.

I call that a cover up.

The whole story is well told at the Bradblog today. I am pleased to see Brad has abandoned his green background with the yellow lettering. This post is actually easy on the eyes, so I’m happy to link to it.

At the heart of the current voting machine mess is the reliance on corporations to run public elections. One voting machine company just went out of business, leaving some Indiana counties up a creek without a paddle:

“From the best we can tell they no longer exist, so we have no support for our equipment,” Thornburg said.

The Wisconsin company’s telephone is disconnected.

That company does not run any Iowa voting machines, but this one does and they drove one Arkansas election official to resign:

Election Systems and Software is the company providing the Ivotronics machines and related software.

“The reason I am leaving is the provider of the Ivotronics and related software lacks competency to make their equipment work timely and effectively. They … make a difficult job impossible to do,” said Selph.

“They can’t spell, meet deadlines, send documents to the right address or code elections correctly. They leave races off the ballot for us to correct, they can’t program their software to work and you have to hand add the results. And they don’t return phone calls,” Selph said.

“The ES&S people in Arkansas are capable but the people I have dealt with in the home office in Omaha prevent them from being effective. They are also mean-spirited when you try to get them to correct the numerous and recurring errors,” he said.

The wonders of the market economy. They are not for elections

Democrats loved HAVA in the beginning. It was going to end the large number of spoiled or undervoted ballots that plagued some Democratic precincts. “Don’t worry about that paper trail nonsense,” they said. “Democrats will win more votes with new e-vote machines because more votes will get counted.”

New Mexico saw the opposite result. In 2004 they made the switch to electronic machines. In 2006 they switched back to voter marked paper as a way to satisfy the public demand for paper trails. The undervote rate went up six-fold in some of the most Democratic precincts in 2004 and came back down in 2006. Stunning.

Here’s the research: link

The 18,000 missing votes in Sarasota, Florida resulted in a study of the voting machines that was released this week. It say the machines are “terribly insecure“. Iowa uses similar machines in Emmett, Calhoun, Clayton, Clinton, Fayette, Jasper, Johnson, and Lee counties.

Commenting on the report, computer scientist Ed Felton of Princeton says:

Experience teaches that systems that are insecure tend to be unreliable as well — they tend to go wrong on their own even if nobody is attacking them. Code that is laced with buffer overruns, array out-of-bounds errors, integer overflow errors, and the like tends to be flaky. Sporadic undervotes are the kind of behavior you would expect to see from a flaky voting technology.

Missing votes may be in our future, too, if we continue to use tally our votes on touchscreens.

Update: Photos and first person account of this story are here.

Another Princeton University scientist has hacked into another brand of voting machine. It took seven seconds to pick the lock. Then he wrote vote-stealing software that would run only on a certain Tuesday in November. He said the machine was a hacker’s dream. They are used all over New Jersey.

Last summer it was Diebold stuff that came under the knife at Princeton. Similar Diebolds are used in Iowa.

This time it was Sequoia voting machines. They had been sold on the internet by officials in North Carolina. The Princeton man spent $82 to get 5 of them. Recently New Jersey bought nearly identical devices for $8,000 each. Over 100 machines were sold from GovDeals.com. The Princeton purchaser points out that

He is confident his students and other recent buyers of 136 Sequoia machines sold on GovDeals.com — where bidders also can find surplus coffins, locomotives and World War I cannons — will crack Sequoia’s code.

Then, he said, it will be fairly simple for anyone with bad intentions and a screwdriver to swap Sequoia’s memory chips for reprogrammed ones.

Don’t tear your hair out just yet: I’ve only told half the story.

The other half is an allegation that NJ never tests its voting machines, despite state law saying they must do so. New Jersey law is remarkably like Iowa law. Three examiners (same as in Iowa) get paid $150 each (same as in Iowa) by the voting machines company (same as in Iowa) to examine the machine for compliance with vague criteria (same as in Iowa).

Have no faith in paperless voting machines. No one is minding the store.

Thanks to John Gideon of Voter’s Unite for calling attention to this NJ story. John’s been doing this sort of work for two or three years now. He is one of my main tipsters.

Iowa’s election director Sandy Steinbach has been contradicted in a report to the federal Election Assistance Commission (EAC). The report resulted in the exclusion of Ciber laboratory from its previous role as an independent testing authority(ITA) dealing in voting machines. Ciber has “tested” all of Iowa’s voting machines, according to Steinbach.

In a January 8, 2007 email to me, Steinbach said Ciber was no longer allowed to test voting machines merely because some administrative hurdles had not been cleared. She wrote:

Ciber applied for EAC certification. The reason that the Ciber did not receive EAC certification was the administrative requirements. Ciber’s technical capability is not in question. You can verify this by calling Brian Hancock at the EAC.

But the newly released report says Ciber’s technical capability is in fact the problem. It says Ciber cannot show it follows its own testing protocol and that:

“CIBER has not shown the resources to provide a reliable product. The current quality management plan requires more time to spend on managing the process than they appear to have available and it was clear during the assessment visit that they had not accepted that they have a responsibility to provide quality reviewed reports that show what was done in testing. The ITA Practice Director indicated during the assessment that their difficulties were that corporate CIBER did not allow for the personnel resource time for quality management functions . . . .

Worse than that, the report says Ciber admitted :

. . .that the testing for a product tends to either use vendor developed tests or new tests developed specifically for the product – they have no standard test methods defined. This makes their testing dependent on the vendor input and vulnerable to unique vendor interpretations . . .

In short, the feds now know that the so-called independent testing authorites, who provide a patina of legitimacy for secretive computerized voting machines, are not independent, not doing the testing, and not authorities of any sort. We critics have been saying that for years. Give us ten more points. Score now at 193-0.

The report had not been made public when Steinbach wrote her email. It became public when New York officials threatened to subpoena it.

The most puzzling part of this report is its reporter, Steve Freeman. He once served under Sandy Steinbach when they both dealt with the ITAs for the National Association of State Election Directors(NASED). Why is Freeman criticizing Ciber now after years of accepting their work at face value? Perhaps Steinbach has already explained. In her email she lamented:

Our reviewers spent literally thousands of unpaid hours and accomplished a great improvement in the quality of voting system reliability. . . .Did we have the formidable resources now in the hands of the EAC? No. Given what we had to work with the NASED program accomplished a great deal. It was not perfect. NASED, fully recognizing our own limitations (no budget or paid staff, with voluntary standards that we had to beg for years to have updated, neither the authority nor the resources to go in and audit the labs) worked for many years to gain federal interest in the voting system testing process.

So Ciber was the wizard of Oz, hiding behind a curtain of proprietary secrecy, doing wonderful things for vendors and fooling the NASED volunteers, including Steinbach. I wonder if she feels betrayed.

In light of the increase in contested elections since 2000:

* the 18,000 missing votes in Sarasota, Florida in 2006
* the decertification of the lab that “tested” a majority of US voting machines
* the conviction of two Ohio election officials for rigging the 2004 presidential recount

concerned citizens are questioning the integrity of our voting systems.

A recent recommendation released by the National Election Data Archive (NEDA) suggests that a system for election audits may be the solution to ensuring the integrity of election outcomes.

NEDA’s new paper provides a small table to look up the margin between the leading candidates to find a percentage and a minimum election audit amount that would ensure that election outcomes are accurate.

For example, if we wanted to audit the Boswell-Lamberti election, the table says we would have to hand count the ballots in 6 precincts because the margin of victory was just over 5%.

There are two problems with this. First, some counties in the district are unauditable since their voting machines leave no paper trail. We know how to fix that, don’t we?

Second, the NEDA formula is so simple that it might miss some manipulated precinct results–even missing enough mischief that we have only a low degree of confidence that our audit has been effective. For example, the NEDA paper assumes 440 precincts in a Congressional district, whereas the Des Moines area district has only 330.

There are other formulas for selecting the number of precincts to audit, and I’ll look into them later. For now remember that getting a paper trail is only the first step if we want to guarantee election returns that are counted by software. Auditing is the second step. We need both.

If you can handle some math or like colorful tables, you might want to examine the NEDA paper.

Two high ranking county election workers in Ohio have been found guilty of rigging the recount in 2004. They were required to recount three per cent of their presidential votes. If any discrepencies were found, a full recount would be conducted.

So to make sure they avoided the full recount

the employees broke the law when they worked behind closed doors three days before the public Dec. 16, 2004, recount to pick ballots they knew would not cause discrepancies when checked by hand so they could avoid a lengthier, more expensive hand recount of all votes.

Remember how Diebold claims its election software doesn’t really need to be secure because there is no such thing as dishonest election workers?