Iowa Voters

by Jerry Depew

Even the Department of Defense is fretting over its new email voting scheme, now involving only a handful of states including Iowa. One computer scientist told a reporter the new system is “far worse” than the plans that were scrapped in 2004:

Last month, an internal Defense Department review of its ballot system “found significant concerns surrounding the e-mailing of voting materials.'’ The review stated: “E-mail traffic can flow through equipment owned and operated by various governments, companies and individuals in many different countries. It is easily monitored, blocked and subject to tampering.'’

. . . .

David Wagner, an associate professor of computer science at the University of California-Berkeley, said the system of fax and e-mail was “far worse'’ from a security perspective than the Pentagon’s last attempt to solve this issue: an online voting system the Pentagon canceled in 2004 because it could not prevent electronic ballots from being altered or erased.

Iowa joined this “far worse” system with considerable fanfare last month.

JD

I haven’t covered it here at Iowavoters because it didn’t look like an Iowa story, but now it is. This week computer scientists at Princeton University released a paper and a video on how to hack a Diebold touchscreen vote manipulating device, the TS. In Iowa we have the successor model, the TSx.

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates.

On Wednesday Diebold responded:

“By any standard - academic or common sense - the study is unrealistic and inaccurate.”

Today University of Iowa computer scientist and voting machine expert Doug Jones rebutted Diebold:

Diebold owes the public a list of the third party security analyses that have found their system to be secure. None of the analyses I’m aware of drew positive conclusions.

All three of the above links go to short documents. You really can afford to follow all three if you are interested.

Iowa’s Secretary of State recently placed before us some new rules on the handling of our vote manipulating devices. One of the proposed rules says this: “Only a person who is authorized in writing by the commissioner to do so shall be permitted to attempt to repair malfunctioning voting equipment.”

This vague standard will not protect us from the roving technicians deployed by the vendors of our voting equipment. It is common for the vendors to hire temporary help at Monster.com, give them cursory training, send them out to polling places as trouble shooters, and charge counties a pretty price for their services. On Tuesday one such technician confessed his ignorance to a pollworker in Maryland, not knowing his confession would appear on the internet:

Throughout the early part of the day, there was a Diebold representative at our precinct. When I was setting up the poll books, he came over to “help”, and I ended up explaining to him why I had to hook the ethernet cables into a hub instead of directly into all the machines (not to mention the fact that there were not enough ports on the machines to do it that way). The next few times we had problems, the judges would call him over, and then he called me over to help. After a while, I asked him how long he had been working for Diebold because he didn’t seem to know anything about the equipment, and he said, “one day.” I said, “You mean they hired you yesterday?” And he replied, “yes, I had 6 hours of training yesterday. It was 80 people and 2 instructors, and none of us really knew what was going on.” I asked him how this was possible, and he replied, “I shouldn’t be telling you this, but it’s all money. They are too cheap to do this right. They should have a real tech person in each precinct, but that costs too much, so they go out and hire a bunch of contractors the day before the election, and they think that they can train us, but it’s too compressed.” Around 4 pm, he came and told me that he wasn’t doing any good there, and that he was too frustrated, and that he was going home. We didn’t see him again.

As you can see, these people should not have access to the equipment at the polls, even if they do have written permission. Since Iowa’s new rule is up for public comment, now is the time (comments close next Tuesday) to tell the SoS that written permission is too weak a standard. Only regular election personnel should be tweaking the gadgets once the pre-election testing has been completed.

Comment to Sandy Steinbach at sos@sos.state.ia.us

The Daily Iowan has followed its skeptical coverage of the email ballot plan for military voters with an even more skeptical editorial.

. . .the e-mail program used for the voting, the Simple Mail Transfer Protocol, does not provide encryption or a way to authenticate security. For hackers, this could be an invitation to change people’s ballots or prevent their vote from reaching an auditor’s office in the United States. . . .

The issue of privacy is especially relevant for those serving in the military overseas. With their e-mails already monitored for content to ensure locations aren’t compromised, etc., what’s stopping the government from monitoring votes or a superior officer from discovering how a soldier of lower rank voted and then punishing him because of it. This scenario is obviously not one we’d like to see played out, but the unfortunate truth is that it could happen, and things far worse have happened within the military.

I have been urging the creators of Vote-PAD to come to Iowa and get their invention certified for use in our elections. (Vote-PAD is a low-tech way to assist disabled voters with ballot marking.) There is currently no market here for their product since our counties already have bought more expensive high tech gadgets that purport to assist some disabled voters, so the Vote-PAD people have not attempted to get Iowa certification.

Instead they went to Wonderland California. But the Queen of California laid a trap for them. On Friday California denied them certification, following the most bizarre certification process imaginable. Vote-PAD has responded with this satire of the California decision. Here’s a taste:

The Queen started by describing the testing process, “We asked them to vote independently on the Vote-PAD, and we told them exactly what to do the entire time.”

“Excuse me,” said Alice, “but how is that independent?”

“That’s not the point,” said the Queen. “The point is that they weren’t able to vote independently.”

“But you didn’t let them,” objected Alice.

The state announced its decision on a Friday. Last winter it was also a Friday when they certified Diebold’s touchscreens despite a report saying the Diebold system violated federal standards. Friday is when many government agencies announce things that are embarrassing to them because fewer people see the newspaper on Saturdays.

I still hope Vote-PAD comes to Iowa. I think they would get a fair hearing from the Iowa board of voting machine examiners. Then if some county has trouble with their Diebolds, an alternative would already be certified.

All over America the ballots from the 2004 election are still in storage. Federal law requires that they be retained for 22 months after the election. The time is about to expire.

County election officials in some states may have the authority to dispose of these ballots in any way they wish next month when the time elapses. They won’t bring much on Ebay, so mostly they will be discarded. But some people would like to get them. Maybe you can arrange it.

A Wisconsin voting machine expert (John Washburn) is seeking 3000 actual paper ballots. He has asked his local election supervisor, but she has said she intends to destroy the ballots.

Washburn wants the ballots in order to demonstrate a new way to “hand count” paper ballots(How to Count Thousands
of Paper Ballots by Hand). He will use a super sensitive scale instead of thumbing through the ballots while he counts. His scale can detect weights to a fraction of a gram. Ballots weigh more than 20 grams. So a stack of ballots could be counted far more accurately by weighing them than by thumbing them.

Here is Washburn’s request:

Does this work? Work fast enough? Work with multi-race ballots? Have sufficient check and balances and security to minimize fraud?

I want to get real world, empirical evidence of the viability of this proposal (or lack therof). I want to video record the whole 6-7 hours to DVD. The availability of the raw video as well as 30 second, 1 minute, 10 minute, and 30 minute versions is to blunt claims I have presented this in an out of context way.

I have a scale company here willing to lend me a $1500 high capacity, high sensitivity counting scale for nothing more than prominent product placement in the resulting video.

I have a film crew available (camera, lights, sound, and director) willing to donate the equipment and time in exchange for the copyright to the result and credit toward their film degree.

What I don’t have is a set of real ballots to sort, weigh and count. The 22 month retention period for the November 2, 2004 election materials expires on September 2, 2006 . What is more realistic than actual ballots as marked by actual voters?

What I need:
1) 3,000 or more ballots from November 2, 2004.
The ballots:
a) Need not all be from the same jurisdiction.
b) Must have the same ballots structure; i.e. the same set of races with the same set candidates printed in the same order.
c) Must be printed on discrete, uniform pieces of paper; the heavier the better. Optically scanned ballots would be best. But ballots from a Populex systemor Proofs of votes from an AccuPoll system would work as well. VVPAT toilet paper (Not discrete) or cut and dropped VVPAT will not work (not cut to uniform lengths).
d) Have at least 8 races on it.

Can anyone help me find a jurisdiction with ballots from polling places which meet my selection criteria? On September 3, 2006 ballots from jurisdictions all across the country will be in dumpsters. I would like to rescue some of this trash and put it to good use.

One Florida county has decided to donate its ballots to a university for use by researchers. Washburn can go to Florida to do his research, if necessary. But if we can help, it should not be necessary.

Unfortunately Iowa law requires the destruction of old ballots, so please pass this request on to others. Have them reply to Blog@WashburnResearch.Org if they can secure the ballots. Or they can comment here or email me.

The other night on CNN Lou Dobbs bemoaned the appearance of old voting machines on the auction block at Ebay. He worried that villians would learn how to steal elections if they got access to the equipment. This time Lou missed the point in his otherwise admirable coverage of the voting machine mess brought on by the Help America Vote Act.

What should concern Dobbs is all the secrecy that surrounds the system and the programming for the vote counting gadgets. Only ONE thing shoud be secret about elections–how you mark your ballot. Here’s computer scientist Justin Moore on why this is the goal:

The best systems have the fewest secrets. Anything that needs to be kept secret — such as a password, an encryption key, a physical building key — in order for the system to work securely is a potential point of attack.

The more things that need to be kept secret or secure, the more points of attack.

“Whoops, you can load a new OS [operating system] with a PC card! Better secure it.”

“Whoops, you can modify the audit trail without an
application password. Better keep the OS login secret.” Etc, etc.

The best systems are the ones where you can hand over the entire
source code to the attacker, and they still can’t get anywhere. In
other words, the source code reveals no points of attack, and no longer needs to be secret.

But today’s corporate voting machines are so poorly designed and programmed (that’s the charitable view) that they depend on locked storage, passwords, security tape and other devices to protect their “integrity.”

It won’t work.

The CNN program Moneyline has been covering voting machines intermittently for some weeks now. Monday they reported on Iowa:

DOBBS: More evidence tonight that the security of our elections, the integrity of our democracy are at risk from electronic voting machines. A county in Iowa has just come close to putting the wrong candidate in office because of a massive programming error.

Kitty Pilgrim has the report.

(BEGIN VIDEOTAPE)

KITTY PILGRIM, CNN CORRESPONDENT (voice over): On June 6th, in Iowa’s Pottawattamie County, the early electronic vote tally showed a popular 23-year incumbent losing to a 19-year-old college student. Highly suspicious, the auditors stopped the electronic count and started counting by hand. The electronic machines made by ES&S, one of the three major voting machine companies in the country, had miscounted every race on the ballot.

LOREN KNAUSS, POTTAWATTAMIE COUNTY SUPERVISOR: The discussion that we had afterwards as we started doing our review, the company, ES&S, misprogrammed the computers. And then on our side, the tests were not thorough enough. So it was — we’ll just say it was a 50-50 mistake on their side and ours.

PILGRIM: Knauss was running against 10 people in a Republican primary, and according to the voting machines, he was coming in ninth. After the manual recount, he came in first. He says without a paper trail, the election would been completely botched by the electronic machines.

Electronic voting experts have come to a conclusion over what went wrong with the ES&S machines.

JOHN WASHBURN, VOTERTRUST USA: What happened in Pottawattamie County is that they have a rule that the paper ballots, the names from precinct to precinct, have to rotate. So, while I might be at the top of the ballot in precinct one, I’d be number two in precinct two, number three in precinct three, and so on.

What the machinery did, though, is the programming didn’t take into account this rotation on the paper ballots. And so, regardless of whatever name was on the top of the ballot, it would always accrue for a single candidate.

PILGRIM: Computer experts point out in this case how the ballot was programmed was a mistake. But misprogramming ballot tabulation could also be done on purpose if someone wanted to tamper with an election.

(END VIDEOTAPE)

PILGRIM: The Iowa secretary of state says the programming by the vendor was done incorrectly. So the state is going to pay more attention to the pre-election testing of the machines.

But ES&S issued a statement saying the issue was not related to the reliability of the machines, rather error in the way the ballots were coded. It was a human error, they say.

All of this goes to prove, you really do need this paper trail.

DOBBS: Went from ninth to number one. If this message is not getting through that’s emanating from every corner of the country using these voting machines, I don’t know what it will take.

PILGRIM: I know. And when you talk to county after county after county that have these problem, they all come to the same conclusion, you must have a paper record, it seems.

DOBBS: And I love the electoral officials in these counties and districts, and in some cases states, saying we’re going to pay closer attention this time. Wouldn’t you pay close attention every time?

PILGRIM: One would hope so. It is an election.

DOBBS: Kitty, thank you very much.

http://transcripts.cnn.com/TRANSCRIPTS/0607/31/ldt.01.html

This tip is base on a rumor: I have heard that Lou Dobbs may discuss the Pottawattamie county ballot miscount on his Moneyline show Friday.

Dobbs continues to cover voting machines better than anyone else in the vast wasteland.

This is a long story. It has mostly played out elsewhere on the web. Since I played a small part and since it involves Iowa’s election director Sandy Steinbach (see here ironically), I think it is worth posting for Iowa readers. It is about the programming of voting machines that we use in Iowa; about a lawsuit in California, and about correspondence with the Iowa office of the Secretary of State. Here goes:

It all started on the web when John Washburn posted some emails at his website. The emails came to light because of legal action in California regarding how that state had decided to approve the use of Diebold voting machines. But these emails refer to the other major voting machine company–Omaha’s ES & S–whose wares are used in Pottawattamie, Polk, Johnson, and other counties.

The emails are written by voting machine examiners for the National Association of State Election Directors(NASED). They worked under the direction of Sandy Steinbach, then chair of the NASED Voting Systems Board and long time election director for Iowa. Steinbach has praised their work:

“Brit Williams, Paul Craft and Steve Freeman are my heroes. These three men are the heart and soul of the voting system testing program and they do this work for free. None of them has a salaried position. They work as consultants and their time is valuable.

One of the emails indicates that there is virtually no way for a user of ES & S voting equipment to know whether the proper software is running on the equipment.

Every time pests like me cast doubt on computerized voting devices, the defenders say, “Don’t worry, the software has been certified by an independent laboratory,” thus making it sound like it has earned the Good Housekeeping Seal of Approval, or something. The point of the email published by Washburn is that the certified software is altered every time it is used. Thus it cannot claim to be certified any longer and it is virtually impossible for the user to know what has been changed.

This alteration occurs during the creation of every ballot that is prepared for use on ES & S devices. It wouldn’t have to work like this, but the oracles of Omaha designed it this way, so it does.

When Washburn posted these once private emails back in May, he concluded that the ES & S system always operates on uncertified software, and thus always in violation of the standards that supposedly protect us from vote manipulation by the machinery. His conclusion was sent to the NASED president and to Steinbach and others, but they did not acknowledge receipt.

Eventually a response was wrung from Iowa Secretary of State press agent Casey Sinnwell. It is posted here, and it addresses the question, “Does ES&S routinely use uncertified software to run elections?” Sinnwell’s answer is No, but to be sure you must be able to stand on your head and swallow swords while reading heiroglyphics. Or, as he put it–

To verify the software requires using a master copy and a copy of the election definition, then creating a reference copy of the specific election program to compare against the version used in the election. The technique is slightly more difficult because some EEPROM burner/readers create or fill blank areas with different characters and the sections need to be checked to verify that they are true fills. However, the technique has been used in Florida and other locations and the version of the software verified. . .

The problem is that the ES&S system can not be verified with a simple comparison, . . .

I was not reassured by this, so I wrote back to Sinnwell asking about the description of his method as “difficult” and “has been used in Florida” and “cannot be verified with a simple comparison”. I asked if it was fair to assume that county election officials would not be able to routinely make this comparison for their various ballots and thus would not know what the hell was actually going on in their vote counting gadgets. Sinnwell has not responded.

Washburn then went on to create a glorious picture of what this means. His comparison of ballot preparation with paint mixing leads even a technophobe to understand why it would be so difficult to tell whether the vote counting program has been corrupted in the process of creating the ballot. He says that a program (green paint) that is prepared by mixing the ballot information (blue paint) and the certified program (yellow paint) will yield a different shade of green for each ballot. But the bystanding auditor cannot unmix the paint to see if the proper portions of blue and yellow were used. This gem about 47 shades of green is hidden in the lower part of this post.

Slogging thru all this analysis is work. Probably no one but the auditors themselves has the motivation to puzzle it all out. But as Cerro Gordo’s auditor Ken Kline (a user of ES &S, by the way) once told me, “I didn’t get elected to do an ‘easy’ job.” Amen.

Calling it a July 4 firecracker, Blackboxvoting.org has released information that it kept secret in May. The secrets reveal what Diebold may have known all along: how to capture and corrupt their voting machines.

In May BBV released a self-censored report of its examination of Diebold equipment. The exam had been made possible by Bruce Funk at the Emery county election department in Utah. The report made national news because computer scientists proclaimed their shock at that the vulnerabilities of Diebold’s wares that were partially revealed in the report. BBV said that if the whole report were made public, it would constitute a road map for how to steal votes on Diebold touchscreens and avoid detection.

Why did Diebold deserve any deference from BBV in the first place? many people asked. Other computer scientists explained that it was industry practice for critics to privately warn software authors about weaknesses in their software. The weaknesses would not be reported publicly for a brief period, thus allowing the creator to make amends.

But Diebold did not make amends. It denied the problem. Election officials did not make amends, either. They kept using the equipment, merely adding a little security tape here and there.

Now the brief period has elapsed. The whole story is told, complete with pictures, at blackboxvoting.org.

Iowa counties collectively have millions of dollars invested in these devices, which were used in over a thousand precincts in the June primary.

Bev Harris and blackboxvoting.org sure know how to celebrate the Fourth of July: by practicing America’s politics of checks and balances. Happy Fireworks ~~*

The law school at New York University has studied paperless voting and electronic ballot counting and has CONDEMNED it, citing 120 ways to compromise elections! The school’s Brennan Center for Justice issued its report this week. It marks the third time this month that a well-established group has warned us against what Iowa election officials do to run elections. First came the LWV, then Common Cause, and now this one, the most impressive of the recent attacks on unaudited elections.

The Brennan Center assembled election officials, computer scientists, computer security experts, and members of the National Institute of Standards and Technology for a year long investigation. After discerning 120 ways to disrupt voting when electronic equipment is used, they named the easiest way: mess with the software, either before or after the machines are sold to the counties. It is the easiest because it takes only one person to pull it off.

It is even easier to do when the machines are set up for wireless communication, as they sometimes are.

But there is hope. The Brennan report (which is easy to read, I recommend it) says simple, cheap steps can go a long ways to mitigate the danger. Unfortunately hardly any jurisdiction takes all the steps and many jurisdictions have not implemented any of the safeguards.

First they say to use paper. Then they say to look at the paper by conducting random audits after the election.

Get rid of the wireless components in these voting machines, and have a plan of action when evidence of fraud or error appears.

Pottawattamie County showed how that last one works. Iowa also gets one recommendation right: Keep election administration de-centralized to frustrate fraudsters and dilute errors.

Two Iowans are cited in the Brennan study. Doug Jones of the U of Iowa is a familiar figure, one of the nation’s premier voting machine experts and a computer scientist. Patrick Gill, Woodbury county auditor, was one of the local officials surveyed by the Center.

Here is hard-hitting coverage that pins some blame on the new federal Election Assistance Commission, a group with its head in the sand. (Voting machines companies supply the sand.)

Iowa and 16 other states are at “high risk” of having a compromised election due to their use of paperless voting machines that cannot be audited, according to a report last week by Common Cause. I believe I’ve said the same thing myself!

None of Iowa’s neighbors made the high risk category. Minnesota, Wisconsin and Illinois were rated low risk, while Missouri, Nebraska and South Dakota were called medium risk. Congratulations, Iowa!

Detailing what they call “the current voting machine debacle”, Common Cause lists the problems of the new systems and relates stories of their failures from Texas, Virginia, Pennsylvania and elsewhere.

Their recommendation? Get the votes put on paper! They call for federal laws, state laws, more money, retrofitting, decertification–whatever it takes to get voter-verified paper ballots into the system again for everyone. And then conduct public audits of the paper, if the ballots were counted by computerized machinery.

So Common Cause and the League of Women Voters have both spoken out strongly in the last month for verifiable voting. Earlier the same points were made by the Carter-Baker Commission, the General Accounting Office, the Congressional Research Service, the Association for Computing Machinery. . . . Sheesh. Almost everyone but the people who run elections can see that the voting machines have no clothes.

Terersa Hommel says her remarks to the League were elemetary, but I say they are worth noting:

Our SARA resolution, which passed in our last national convention, was an important step at the time. My experience of the last two years, however, has driven home to me that “secure and accurate” cannot be determined without audits, but no Board of Elections is intending to audit. “Recountable” is inadequate because it only means we can recount, it doesn’t mean we will, and it doesn’t say that the recount has to constitute a meaningful, independent audit. You must know as well as I do that some vendors and jurisdictions have said that if they can reprint their tally sheets, this is a recount. I have no problem with accessible, other than that the whole concept appears to be used as much for political purposes as for assisting voters with disabilities.

Here is what SARA needs now:

Observable

If citizens are forced to “trust” anything other than observation, then an election lacks legitimacy and so does the government, whether or not irregularities occurred.

Voter-verified paper audit trails (”VVPAT”) were supposed to restore observableness to electronic elections by enabling voters to see their computer-printed paper ballot, and enabling Boards of Elections to do observable audits.

BUT, no Board of Elections in this country is intending to perform audits, whether or not they have VVPAT. I believe that one of the big reasons vendors and election people oppose VVPAT is because they don’t want to audit. Does this mean that they want to commit fraud without being detected? Or that vendors don’t want people to discover that their equipment doesn’t actually work? Or are they just thinking about convenience and forgetting what elections are for?

I believe that computers used in elections should be held to the same standards as computers used in the financial industry — voters must be encouraged to verify the voter-verified paper audit trail, and this paper record must be 100% counted, and all discrepancies between computer tallies and paper tallies must be investigated and reconciled, or else the election should not be certified.

Understandable

In three years of full-time activism I have met only a handful of election people who are savvy about computers. Even if most election people are honest, they are easily taken advantage of by vendors, lobbyists, and other interested parties including their own former colleagues who now work for vendors and lobbyists.

Manageable

Computer security is impossible to control. The FBI computer crime survey of 2005 said that 87% of companies were broken into, and 44% had intrusions from within their own organization. How do you think your local Board of Elections will stand up to these statistics?

If you want to rob a bank, where do you get a job? At the bank. If you want to steal elections, where do you get a job? At the Board of Elections. Or maybe you get your relative a job there. Few Boards of Elections in this country are dealing in a professional manner with the security problems of computers, because they lack the know-how, money, and political backing to do so.

I missed all the excitement in the Iowa primary!  No, not the O’Brien upset of the annointed Dusk Terry, or the ousting of State Senator Tinsman, or the triumph of the unqualifed candidate for Secretary of State on the Republican ticket.

I’m talking about how Pottawattamie County is now a poster child for election integrity activists for what they did wrong and for what they did right when they realized the error.

They went wrong when they didn’t adequately test the voting machines before the election.  But they realized the problem as votes began to be counted Tuesday night and they grabbed the bull by its horns, wrestling it to the ground for a good ol’ rodeo victory over the voting machines—they counted the ballots by hand!

They knew something was wrong when the machine counting the ballots claimed that an unknown college student was ousting an long time incumbent county recorder.

Here’s a complete version of the story from John Gideon of Voter’s Unite.

We’ll be hearing more about this.