Rich Whitey

<ADMISSION>
While the following error (read: hilarious fuckup) could have just as easily happened on printed ballots, given my antipathy for electronic voting machines, I am all too happy to take yet another, albeit gratuitous, swipe at them.
</ADMISSION>

Rich Whitney, the Illinois Green party gubernatorial candidate, was dismayed to learn that his name was misspelled as “Rich Whitey” on electronic ballots in 23 of Chicago’s 50 wards. Half of the machines with the misspelling are in predominately black wards and there is not time to correct the error before election day.

Though polling indicates that Whitney would garner a mere two percent of the votes, he is (somewhat) understandably unhappy about the misspelling. If it were me, I would be trying like hell to incorporate this as a campaign feature. I would post flyers all over the affected wards with slogans like “A rich whitey is moving into the Governor’s mansion anyway. Vote Rich Whitey!”, or “Vote Whitey! He’s Green!”

Never undervalue how grateful people are to laugh.

MrPikes, Election Officer (the reflux mix)

Yesterday was my fourth time volunteering in a polling place, and my second time as an Assistant Chief. Unsurprisingly, it was quite a day. Our precinct consists of 2,460 registered voters, and we processed over 700 of them (28%) in the first two hours. Those first couple of hours were just insane. Lines filled the 40 x 80 gymnasium, then stretched a quarter-mile outside (in a light rain).

About an hour into this, while constantly being pulled in a dozen different directions, I asked myself, “Is it going to be like this all day? What if we lost power right now?”, then threw up in my mouth a little.

The touch screen machines, which I despise (previously) held up fine, but didn’t help us move voters through as quickly as we would have liked. Some voters fly right through the electronic ballots, but all it takes to slow the line to a crawl is for a few confused voters to stand there gaping at the machines like tapeworms attempting neurosurgery. I don’t blame the voters, I blame the machines. They need to go, and happily, they are.

Another complication was the fact that we ran four registration tables this election (A-C, D-K, L-R and S-Z). D-K consistently ran double to triple the length of the other lines and, naturally, people in that line got pissed as they saw people who came in after them get through other lines and out the door before the D-K folks had even reached their registration table. We couldn’t break up the distribution differently for complicated reasons, so we just had to roll with it. If it is not immediately apparent, the reason that we do not simply run four A-Z lines is because we wish to prevent people from voting four separate times over the course of the day (I believe there is some sort of rule against this).

I had a chance to talk with a representative from the registrar’s office later in the day, and asked what method they used to choose the alphabet distribution. It turns out they go by the thickness of the poll books. Not the most precise method, but not a terrible one either. The problem is that even if we divided up the poll books perfectly, one cannot predict how many people with surnames starting with “B” versus those starting with “G” are going to show up on election day. Some voters complained that we should have gone with a “first come, first served” rule to be “fair”. I held back from sharing the observation (given the overall reduction in throughput that individual “fairness” would have caused) that if they were standing a quarter mile back, outside, in the rain, their perception of fairness might differ.

I don’t really blame people for being cranky, although I would love for them to get a taste of an election from my point of view. After all, they just wanted to cast their ballots, then get on with their lives. And lots of people went out of their way to thank us (17 of us, and four student pages) for volunteering, which is always swell. The volunteers and pages were indeed fantastic. I am grateful to and proud of each and every one of them.

A little after 8:00am the line died down. For the rest of the day we enjoyed a sane flow of voters, and closed the polls promptly at 7:00pm. All told (including absentee ballots) 85% of our voters turned out. And I’m proud as hell of them, too.

A Sudden Outbreak of Common Sense

As my handful of readers are already aware, I have taken an interest in America’s voting process. I am an Officer of Elections (the fancy way of saying volunteer) in Henrico County, Virginia, and I actually just got a “promotion”, in that I will be our precinct’s Assistant Chief in the 2008 presidential primary. Last year I mailed a copy of Avi Rubin’s Brave New Ballot to each state’s Secretary of State, with some positive responses.

I am passionately opposed to direct-recording electronic (DRE) voting machines without a voter verified paper audit trail (VVPAT). Their inherent complexity is hugely disproportionate to the task at hand, and they just plain suck at fulfilling the fundamental requirements of an objectively verifiable, meaningful election. The brief explanation for how we got these damned things goes back to the goat rodeo that was Florida’s 2000 presidential election. In 2002, by way of response, Congress passed the Help America Vote Act (HAVA) which, among other things, provided billions of dollars for states to replace their punch card voting systems. Salivating like dingoes in a maternity ward, vendors like Diebold, ES&S, and Hart InterCivic then descended upon the states with their shiny solutions.

After the hue and cry from computer scientists like Avi Rubin and Ed Felten, numerous independent Red Team audits of these voting systems (for example), and some sobering failures in actual elections, it appears that a sea change has occurred with regard to the continued use of DREs. Florida (remember how all this started?), California, Colorado, Maryland and Ohio have enacted legislation within the last year to restrict or eliminate DREs altogether, returning to paper ballots and optical scanners. Other states (like Virginia) have opted for a phased approach, enacting legislation barring the purchase of any new DRE equipment. At this point, 40 of the 50 states either have a legal requirement for a VVPAT, or are currently considering legislation. The devil is always in the details (when he’s not hanging out at the bar I frequent), but I am highly encouraged by this turn of events.

The bad news is that states like Maryland will be spending (collectively) billions of dollars implementing replacement systems while still paying off the systems that they just scrapped. If I weren’t so cynical I might say something like, “Perhaps next time states will not turn so quickly to solutions involving expensive technologies whose development was unencumbered by standards or clear requirements, furnished by vendors who have no vested interest in the public good.”

*sigh*

Brave New Ballot

Hon. John Suchandso
Secretary of State
123 Fake Street
Anytown, AA 12345

February 26, 2007

Dear Mr. Secretary Suchandso,

My name is [REDACTED], and I write to you as a United States citizen deeply concerned about the integrity of our voting system. I am not affiliated with any organization.

Enclosed with this letter is a copy of Brave New Ballot, by Dr. Aviel Rubin. Dr. Rubin is a Professor of Computer Science and Technical Director of the Information Security Institute at Johns Hopkins University. I have provided his book to you and to each of your counterpart Secretaries of State because I found it to be a thorough, accessible resource detailing the issues surrounding electronic voting systems. I hope that you find it useful.

I served as an election officer in Henrico County, Virginia for the 2006 midterm election. It was a highly worthwhile experience that I look forward to repeating. My fellow volunteers were experienced and dedicated, and procedurally the day ran flawlessly. I was prepared for the unfortunate reality that without a paper audit trail we could not objectively prove that our precinct’s results were valid. What I was unprepared for was the meaningful percentage of voters who had serious difficulties navigating the touch screen ballots. Those who assume that familiarity with the graphical user interface is ubiquitous do a huge disservice to these voters.

I believe that we need to take a big step back and restate the problems that we were we trying to solve, then assess how well electronic voting machines actually solve them.

Our voting system should be a point of national pride, trusted and understood by all citizens, and used as the gold standard worldwide. It is far too precious a thing to entrust to proprietary black boxes produced by the private sector, whose interest in secure and accurate elections is at best secondary.

Thank you for your time and consideration.

Respectfully yours,

[REDACTED]

MrPikes, Election Officer Redux

You never forget your first time, do you? In my case it lasted 15 hours, and involved nine partners.

My day as an election officer started at 5:15 am. Our precinct was in a multipurpose room/gymnasium at an elementary school. We set up the signage, registration tables, five electronic voting machines and one demonstration unit with no problems, and opened the polls promptly at 6:00 am. Four volunteers worked the tables, one ran the demonstration unit, three managed the voting machines and two (the Chief and Assistant Chief) managed all procedural aspects of the election, and dealt with stuff like drive-up voting for those with special needs. We had good coverage.

I spent most of the day managing the machines. Once voters checked in, they queued up and presented paper tickets to a volunteer who (after giving the voter an “I Voted!” sticker) directed them to one of two volunteers with smart cards (I was one of these). I escorted each voter to an available machine, and inserted the smart card to activate a new ballot (this procedure serves to eliminate overvoting).

Henrico County uses Advanced Voting Solutions WinVote machines, which my friend Gokmop wrote about last year. They are Windows-based tablet PCs that reside in a plastic suitcase that transforms into a booth (pictured below).

AVS WinVote

Around 9:00 am one of the machines was unplugged and taken outside to allow a drive-up voter to cast hus ballot. When the machine was returned to its station its AC jack was not re-engaged fully, and the machine was inadvertently left to run on batteries. The battery backup is supposed to last 6-8 hours. It managed about 30 minutes before shutting down. When we booted the unit back up, it was in a locked state that required a technician employed by Henrico County to come out and deal with. We were without that machine for maybe 90 minutes. It affected the queue, but I don’t think that anyone waited over 30 minutes total. This was the only glitch of the day, and I consider it minor.

Logistically things ran pretty smoothly. There were a few incidents, such as the man standing in line who had a fairly spectacular diabetic sugar crash. He was quickly and competently attended to, and went on to cast his vote. Interestingly, this incident illustrated the extent to which suspicion has come to inform my perspective. Within seconds of assessing that the man was having a sugar crash and that two of my fellow volunteers were already acting on it, I looked over my shoulder to make sure that no one was messing with any of the machines. Now, before any of my gentle readers start planning the menu for the intervention, let me say that I genuinely believe my level of suspicion still places well up in the Healthy quadrant, but it’s a good thing of which to stay mindful. If I end up wearing foil-lined underpants and arguing with mailboxes, then you can have your intervention. Mark me down for beef.

Meanwhile, back on voting day, the mood was generally pleasant. While waiting for a machine to free up, one voter joked that his sticker was not technically accurate, since he had not yet, in fact, voted. I responded that Henrico County was examining the feasibility of providing stickers that addressed the various states of voting – “I Am About To Vote!”, “I Am Voting!”, “I Voted!”. I also pointed out to him that the sticker was in fact technically accurate if he had ever voted before. Good times.

The convivial atmosphere, for me, evaporated at the machines themselves. Over the course of the day, my dismay turned to quiet anger as I saw a meaningful percentage of citizens struggle to cast their votes. The single most important lesson that I learned on election day was that way too often these slick, new electronic voting machines do not solve the problem that they were designed and purchased to solve, while creating a laundry list of new problems.

The WinVote machines are touch screen. The voter is guided through a series of screens, each corresponding to a ballot item. The voter selects hus desired candidate for each election by touching the candidate’s name. At the end there is a summary screen that displays the voter’s choices, followed by a screen that instructs the voter to press a large flashing box labeled “VOTE” to cast the ballot.

Something about the design of that screen confused a lot of voters. When they reached it they thought they were done, and they walked away from the machine without pressing the flashing box. Maybe 25 times over the course of the day, one of my fellow volunteers or I had to chase after voters to ask them to come back and complete the process. We’re not allowed to press the box ourselves – a voter who walks away without completing the final step has hus vote invalidated. During the busiest part of the day we missed one voter. We tried advising people about the final step as we were escorting them to the machines, but one has to be careful not to over inform people who might already be intimidated by doing something unfamiliar.

The entire day, right inside the entrance to the precinct a volunteer offered straightforward tutorials with a working demonstration machine. A lot of people who really would have benefited from this passed it up either because they they were too proud, or too confident, or in too much of a hurry. Whatever the reason, when they got to the actual voting machines they became our problem. Setting aside the observation that any voting system requiring a tutorial needs rethinking, we had an election to run, and we had the equipment that the county provided to run it.

We could spot those who were going to have trouble within a few seconds of them getting in front of the machines. You could see their posture change as they encountered something unexpected. It wasn’t just the elderly voters, as one might expect. Young, old, black, white, hispanic, men, women – I assisted voters across a wide demographic spectrum.

Election officers can assist voters, but there are rules for going about it. I couldn’t just walk up beside a voter requesting assistance and look at the ballot. That requires the voter to fill out a form that both of us sign, which is time consuming and in most cases overkill. I helped two voters that required this level of attention because they were so entirely lost. The rest of the time I would stand beside the machine and ask the voter to describe the screen in front of hum, without telling me how hu intended to vote. I had the screens memorized so it was usually a simple matter of explaining the basics of navigating around. In some cases all that was necessary was to inform the voter that the system was touch screen. I had opportunities aplenty to refine my spiel, seeing as I delivered it around 100 times.

It’s important to make it explicitly clear that I don’t think the people I’m describing are stupid. The impression I formed was that they were just entirely inexperienced with something that I happen to take for granted – the graphical user interface. In one way or another I’ve been dealing with GUIs since Dad brought home Pong when I was five. I guarantee that it was the first time for many of those whom I assisted on November 7th.

This can be a hard concept for people who are completely comfortable with GUIs to grasp. In describing my election day experiences, I’ve heard numerous responses along the lines of, “It was so easy for me. I can’t imagine anyone having trouble.” Allow me to make a blanket response to this reaction:

  1. The world is full of things that you cannot imagine.
  2. Your inability to imagine them does not make them any less true.
  3. Touch screen voting machines were designed and purchased by people who share your inability.

We do an immense disservice to a meaningful percentage of voters by forcing them use these machines. In my precinct, several voters had thoroughly awful experiences. Some felt intimidated, some felt stupid, and some felt just that one more bit detached from a world that they used to get along in just fine. Was their experience so bad that they might not vote in the next election? I certainly hope not, but it is simply wrong to expect voters to learn a completely unfamiliar technology without at having at least one compelling reason to do so.

I will ask again, “What problem were we trying to solve?”

The usual response is, “Florida, 2000.” Much was made about hanging, pregnant or dimpled chads, and the confusing butterfly ballots. A more generic way of stating the problem is to say, “The method for capturing voter intent was flawed,” and I agree completely. The Help America Vote Act passed in 2002 allocated billions of dollars to the states to fix the problem. Setting aside the Pandora’s Box of problems that the law unleashed, its primary objective remains unrealized, and postmortem articles like the Washington Post’s “Voting System Worked, With Some Hiccups” amount to little more than whistling past the graveyard.

I guess it depends on how low one sets the bar for declaring that something “worked.” Did the voting system “work” because most of the machines didn’t visibly malfunction? Did it “work” because people didn’t have to wait that much longer than they used to? Did it “work” because more voters and election volunteers than not were comfortable setting up and operating the machines? Did it “work” because at the end of the day most of the non-auditable black boxes produced totals that added up to the total number of people who checked in?

We can do so much better than this. We can start by demanding that our voting system be great, not merely good enough.

My day as an election officer was highly educational and worthwhile, and I look forward to doing it again. The people with whom I worked were top shelf – genuinely dedicated to ensuring a fair and accurate election. They were also very kind and accepting of me, a first-timer and a snot-nosed whippersnapper. We had opportunities to chat during brief lulls in the day. We talked about how good the turnout was, we compared home addresses and made fun of the new McMansion™ development nearby. We talked about past elections, and our concerns with or confidence in the new machines. Leaving the gym at 8:00 pm, I knew that whatever shortcomings our current voting system has, people like these nine were certainly not among them.

MrPikes, Election Officer

Last night I attended Henrico County, Virginia’s Election Officer Training. It took an hour. I am given to understand that it might have gone longer, but apparently West Virginia was playing Louisville (Go Mountaineers!).

I decided to volunteer as an election worker for two reasons:

  1. Coming from a technical background I thought I might be helpful.
  2. I genuinely want to participate in our election process.

At 34 years of age, I stuck out like a pregnant prom queen – the average age of election workers being 70 – but I was prepared for that. I was less prepared for the Pledge of Allegiance (I politely stood, with my hands at my sides), and was even less prepared for the social aspect of the gathering. A lot of my fellow volunteers knew each other, which makes sense in retrospect, but at the time I would not have been surprised to see people begin producing casseroles.

Around 40 of us went to a separate room to receive training on the Direct Recording Electronic (DRE) voting machines. Henrico uses Advanced Voting Solutions WinVote machines, which my friend Gokmop wrote about last year.

The fact that they communicate with each other wirelessly for end-of-election tabulation still concerns me deeply. Wireless is inherently more insecure than wired, even with badass encryption, and 128-bit WEP (which is what WinVote uses) is demonstrably lame.

The training was exclusively confined to the setup and operation of the machines. Not one word was spoken about what to do when the machines malfunctioned. Presumably the Chiefs and Assistant Chiefs receive more thorough training on what to do when things go wrong, and there is always the Registrar hotline to fall back on. Still, I felt like the omission had more to do with convincing the poll workers that the machines were reliable. I saw a lot of wide eyes during our training.

Here’s a little thought experiment – imagine overhearing the following at a voting precinct using paper ballots:

Chief, this stylus won’t move. Can you come over here and unbudge it?

Sir, can you help me? I’m trying to punch this hole, but it keeps unpunching itself.

I need another ballot. The one I was using just crumpled itself up, then burst into flames.

Um, what problem were we trying to solve again?

DRE Voting Machines

The right of voting for representatives is the primary right by which other rights are protected.
– Thomas Paine, Rights of Man, 1791

I just finished Avi Rubin’s book Brave New Ballot. I’ve been keeping up with the issues surrounding electronic voting since I read RiSC’s 2004 Red Team report (167KB pdf) on the serious, practical security vulnerabilities uncovered in Diebold’s Direct Recording Electronic (DRE) voting machines.

Aside: While researching this post I discovered that DRE is also a medical acronym for Digital (think finger) Rectal Examination. Oh my.

The State of Maryland commissioned RiSC’s review (as well as an analysis by the SAIC – 1227KB pdf) to certify the machines were credible and secure, in response to a non-commissioned paper co-published by Dr. Avi Rubin. This paper concluded that the Diebold machines were fundamentally insecure, based on analysis of source code that Diebold had inadvertently made public. The SAIC and RiSC reports went on to uncover additional, serious flaws.

In addition, just this month, Princeton researchers published yet another study (with video) that, among other problems, demonstrates that Diebold machines can be infected with a vote-altering virus, spread via the machines’ memory cards.

I find these reports fascinating reading. Some of my gentle readers may not, so I will highlight some of their findings below. Bear in mind that Diebold typically rebuts the results of unauthorized analyses of their machines by stating something to the effect that the code/machines analyzed were several generations old, no longer used by any voting precincts in the country, identify purely theoretical attacks, and so on.

I simply ask you to consider that a) the authorized reviews conducted using up-to-date machines/code confirmed that many of these flaws were still present; b) outdated or no, these flaws were at one time present in actual machines in actual, recent elections; and c) at present, we basically have to take Diebold’s word for it.

Now, the highlights:

  • The smart cards used to ensure that an individual can vote only once are easily cloned or reinitialized to allow multiple votes.
  • Supervisor PINs and passwords are either hard-coded, stored in plain text, or have defaults such as 1111. With Supervisor access, an individual could tell a machine that the election was over, clear the results, vote multiple times, or change passwords (thus locking out precinct judges).
  • The locks used to secure the machines are identically keyed, easily picked, and common. The same model of lock is used to secure jukeboxes, desk drawers and hotel minibars.
  • The algorithm used to randomize the order of the voting records (to preserve voter anonymity) is inappropriate to the task. What’s more, the programmers put the following comment in the code:

    // LCG – Linear Conguential Generator – used to generate ballot serial numbers
    // A psuedo-random-sequence generator
    // (per Applied Cryptography, by Bruce Schneier, Wiley, 1996)

    What is painful is that Schneier explicitly states in Applied Cryptography:

    Unfortunately, linear congruential generators cannot be used for cryptography; they are predictable.

  • Both the voting machine software and the Global Election Management System (GEMS) server (central tabulation server) sit atop Windows operating systems consisting of millions of lines of code and, ahem, praised by one and all for their flawless security.
  • Analysis of the GEMS server determined that it was 15 Windows patches out of date. At least one of these was a critical security patch (made available the previous year) whose exploitation gave the attacker complete control of the machine.
  • The GEMS database was written in Microsoft Access – a tinkertoy.
  • Votes can be transmitted from the precinct to the GEMS server via dialup modem. The phone number, user name, password and IP address of the server are stored in plain text in the Windows registry. With this information, an attacker could impersonate a voting machine and/or intercept and alter election results in real time.

The most significant problem with these machines is not a security flaw per se, though it greatly magnifies the impact of all other vulnerabilities. No independent, valid audit trail exists to prove that a given machine produced accurate counts. Incidentally, the same can be said for gear and lever voting machines, which went into service in 1913.

Moving to optical scanners that could read and tabulate counts of paper ballots was a huge improvement, but the mechanism by which voters applied their intent to the ballot was flawed (butterfly ballots, chads in various states of repose, and so on). Could the optical scanners be hacked? Certainly, but I haven’t read up on it. For all I know there could be a little man inside who takes the ballot, then presses a button that corresponds to the candidate. Perhaps the little man could be blackmailed. If elections are done right, however, the little man doesn’t matter, and here’s why:

  1. In order to sway a national election, you have to get dirt on a bunch of little men.
  2. If a precinct, county or state produced suspicious election results, election officials have paper ballots to recount manually, under the bi-partisan scrutiny of people of average or greater height.

Rubin makes this fundamental distinction in Brave New Ballot – the difference between retail and wholesale fraud. Stuffing or “disappearing” ballot boxes is retail fraud. Surreptitiously altering software subsequently placed on tens of thousands of voting machines is wholesale fraud. Another example is hacking the central server to which election results are uploaded.

And remember, with these machines, meaningful recounts are impossible.

Per the Princeton report, in the 2006 general election Diebold machines will be used in 357 counties, responsible for capturing and counting the intent of nearly 10 percent of registered voters. That’s just the Diebold machines. Overall, 34 percent of counties will use touch-screen voting systems in 2006. However, only seven states will employ machines that produce a voter verified paper audit trail (VVPAT).

Hacking voting machines (or a central server) requires intent. However, merely introducing the complexity of electronic hardware and software causes problems of its own. For example, in the 2004 presidential election, over 4,500 votes were lost in Carteret County, North Carolina due to a memory card storage problem in a machine manufactured by Unilect. In a Columbus, Ohio suburban precinct of 800 registered voters, a machine manufactured by Danaher Controls recorded 4,258 votes for one candidate.

Setting aside whether or not these issues would sway a given election, what matters is that voters’ intent was lost. Voters whose confidence in these machines is low are that much less likely to vote. And casting absentee ballots as an alternative to using the machines is a problematic solution.

Bruce Schneier enumerates four fundamental requirements of a robust voting system: Accuracy, Anonymity, Scalability and Speed. I assert that only the first two are fundamental, while the last two are gravy.

  • Accuracy – Each voter’s intent is captured. Every legitimate vote and only legitimate votes are counted.
  • Anonymity – It is not possible to couple a voter with hus vote.

Avi Rubin’s “dream voting machine” would accomplish all four of Schneier’s requirements. Rubin describes this machine as follows:

My dream voting machine would have a user interface much like a DRE, but in reality it wouldn’t be a voting machine at all. I call it a “ballot marking machine.” Voters would navigate through touch screens, just as with a DRE, and make their choices for candidates and for ballot resolutions. However, instead of clicking on Cast Vote at the end, they would select a Print Ballot option, and the machine would produce a filled-in paper ballot that the voter would be able to check for accuracy. The layout and typography of the ballots would be standardized, and the count would proceed completely independently from the the ballot-marking process, in some cases even by hand. One possible variation would use optical scanners to count the ballots, provided that the manufacturer of the scanners had no ties of any kind to the manufacturer of the ballot-marking machine. Similarly, scanners outfitted with audio output could assist blind voters, who would feed their marked ballot into the machine for verification. The marked paper ballots could be retained by election officials and used for recounts, either in cases of actual dispute or as part of a random spot-checking system…The ideal machine would have all the useful features of a DRE but would improve upon it in several key ways. It would allow for meaningful recounts of voter intent and would make it incredibly difficult for a vendor to rig an election. Most significantly, the system would provide citizens with the confidence that their votes were recorded and transmitted accurately and could not be altered after the fact.

Our voting system is hugely important. It should be a point of national pride, trusted and understood by all citizens, and used as the gold standard worldwide. It is far too precious a thing to entrust to proprietary machines produced by companies whose interests are primarily financial.

Recommendations

If we’re going to use DREs, these criteria must be met:

  • The software of every DRE and tabulation server put into service must be subjected to transparent, independent peer review. A method must exist to verify that the code on a given machine matches what was reviewed.
  • DREs must produce a paper ballot that each voter can use to verify hus intent was recorded accurately. The ballots comprise the official count, not the machine totals.
  • Machines fail and require power. In the event of a catastrophic failure, every voting precinct must have an adequate backup supply of paper ballots and a printout of registered voters.

If you are disenfranchised by your state’s voting system, please write your Congressional representatives. For more information on current proposed legislation, visit verifiedvoting.org.