Thursday, August 23, 2007

Further Debasement of elections inhttp://www.blogger.com/img/gl.link.gif Our Great Democracy

Really, one kind of wonders what kind of scumbag sees easily corruptible mechanisms as any sort of solution to anything but corruption in kickbacks and rigging elections more easily....

The end of the secret ballot:
Ohio's method of conducting elections with electronic voting machines appears to have created a true privacy nightmare for state residents: revealing who voted for which candidates.

Two Ohio activists have discovered that e-voting machines made by Election Systems and Software and used across the country produce time-stamped paper trails that permit the reconstruction of an election's results--including allowing voter names to be matched to their actual votes.

Making a secret ballot less secret, of course, could permit vote selling and allow interest groups or family members to exert undue pressure on Ohio residents to vote a certain way. It's an especially pointed concern in Ohio, a traditional swing state in presidential elections that awarded George Bush a narrow victory over John Kerry three years ago.

Ohio law permits anyone to walk into a county election office and obtain two crucial documents: a list of voters in the order they voted, and a time-stamped list of the actual votes. "We simply take the two pieces of paper together, merge them, and then we have which voter voted and in which way," said James Moyer, a longtime privacy activist and poll worker who lives in Columbus, Ohio.

Once the two documents are merged, it's easy enough to say that the first voter who signed in is very likely going to be responsible for the first vote cast, and so on.

"I think it's a serious compromise," said David Dill, a Stanford University computer science professor who has followed electronic voting issues closely. "We have a system that's very much based on secret ballots. If you have something where voters are involuntarily revealing their votes, it's a very bad practice."

Moyer and fellow activist Jim Cropcho tested this by dropping by the election office of Delaware County, about 20 miles north of Columbus, and reviewing the results for a May 2006 vote to extend a property tax to fund mental retardation services (PDF). Their results indicate who voted "yes" and who voted "no"--and show that local couples (the Bennets, for instance) didn't always see eye-to-eye on the tax.

Patrick Gallaway, communications director for Ohio Secretary of State Jennifer Brunner, a Democrat, said on Friday that his boss had already been planning to begin a "comprehensive" review of e-voting machines as part of a campaign pledge she made before taking office in January. He said the review now is likely to include a look at the ES&S voter privacy concern as well.

ES&S machines are used in about 38 states, according to the Election Reform Information Project, created by the Pew Center on the States. Of those states, Arkanasas, Iowa, North Carolina, Ohio, and West Virginia are among those using ES&S iVotronic machines with paper audit trails.

Other suppliers of electronic voting machines say they do not include time stamps in their products that provide voter-verified paper audit trails. Sequoia Voting Systems and Hart Intercivic both said they don't. A spokesman for Diebold Election Systems (now Premier Election Solutions), said they don't for security and privacy reasons: "We're very sensitive to the integrity of the process."

An ES&S spokeswoman at the Fleishman-Hillard public relations firm downplayed concerns about vote linking. "It's very difficult to make a direct correlation between the order of the sign-in and the timestamp in the unit," said Jill Friedman-Wilson. (ES&S iVotronic machines are used in 10 Ohio counties, mostly in the center of the state, according to a map on the BlackBoxVoting.org watchdog site.)

"That is so fatally flawed," Friedman-Wilson said about Moyer's and Cropcho's analysis. "It doesn't take into consideration any of the times that there would be interaction with a voter and a poll worker before the ballot is activated." As for the interaction of Ohio open records law with ES&S logs, she said that "it is most appropriate that the secretary of state's office and others who are responsible for carrying out elections respond to questions regarding Ohio election law and procedure."

Timestamps + Ohio law = trouble

One explanation is ES&S had never expected that the paper with the time stamps, known as a voter verified paper audit trail, or VVPAT, would be made public under state open records laws.

A report evaluating ES&S security prepared by Compuware auditors two years for the Ohio secretary of state--marked "Confidential" but available on the Internet (PDF)--does warn about keeping electronic time stamps. It says that the electronic representation of votes, called the Cast Vote Records, "should not have time stamp associated with it" and must be randomized to protect privacy.

But the auditors viewed timestamps on the physical printout, called the audit log, as needed to detect "tampering" with the ES&S iVotronic hardware. "All actions to the iVotronic are recorded in the audit log with a time stamp," the report said. "This includes opening and closing the polls, voting, inserting invalid voting cards, loss of power, and supervisor access."

David Wagner, a professor of computer science at the University of California, Berkeley, said electronic storage of votes in the order that voters cast them is a recurring problem with e-voting machines.

"This summer I learned that Diebold's AV-TSX touchscreen voting machine stores a time stamp showing the time which each vote was cast--down to the millisecond--along with the electronic record of that vote," Wagner said in an e-mail message. "In particular, we discovered this as part of the California top-to-bottom review and reported it in our public report on the Diebold voting system. However, I had no idea that this kind of information was available to the public as a public record."

The July 20 report on Diebold (PDF), written by Wagner and five Princeton University researchers for the California secretary of state, cites the electronic time stamp as a voting privacy concern. "If the time when each voter checks in is recorded in the poll log book, an attacker with access to the log book could correlate this data with the timestamps to determine how voters voted," the report says. "Alternatively, observers in the polling place could note the time when target voters cast their votes and find the corresponding vote records in the ballot results file."

Ohio law allows just this. Section 3501.13 of state law says "the records of the board and papers and books filed in its office are public records and open to inspection." Anyone who interferes with the public's right to inspect the records, in fact, is guilty of a misdemeanor.

Of course, the correlation may not be perfect. If Voter No. 1 signs in but gives his space in line to Voter No. 2 who's in a hurry, a reconstruction of the votes based on public records will incorrectly identify their votes.

Having multiple machines and multiple lines can also create a randomization effect, but Moyer says that in his experience as a poll worker there's only one line that feeds into multiple machines. In addition, he says, poll workers log the voter into the ES&S iVotronic, which starts the time-stamped entries and means there's no additional randomization of voters taking different amounts of time to start the process.

A uniquely Ohio problem?

Even though other states do use the ES&S iVotronic paper trails, they don't necessarily make them available for public perusal.

Natasha Naragon, a spokeswoman for the Arkansas secretary of state, said she knew of no way to disable the time stamps on the voting machines' printed output. But, she said, "our law does not allow for public access to our voted ballots" and said they remain sealed unless there's a recount.

Iowa's procedures seem designed precisely to avoid the Ohio situation. "Iowa has an administrative rule, because the paper trail is in voter sequence, that prohibits providing to any of the bodies that have access to the paper rolls any information that would allow them to link individual ballots on paper roll to the voters," said Sandy Steinbach, the state's director of elections.

Computer scientists and security experts say restricting the public's access to e-voting paper trails by tinkering with open records laws is insufficient--it doesn't protect against, for instance, an insider perusing the ballots and reconstructing them.

They do say paper trails are necessary to provide a physical check on what could be a buggy or maliciously programmed machine. But they offer three suggestions: deleting the time stamp, not keeping a list showing in which order people vote, and adding a paper slicer and shuffler to randomize how the physical audit trail is recorded.

Lorrie Cranor, director of the Usable Privacy and Security Laboratory at Carnegie Mellon University, says that "you need to have mixing either in the recording of the orders of the voters or the votes, or preferably both."

"Audit trails are really important, but so is privacy," she said. "Many of the vendors of (e-voting machines) have actually put ID numbers on the paper records, which also could be used to reconstruct which voter is associated with a vote."

Moyer and Cropcho have posted a summary of their findings on their Web site, ThePublicBallot.org.

For its part, ES&S claims that printing out time stamps is recommended by standards adopted in 2002 by the Federal Election Commission.

ES&S spokeswoman Friedman-Wilson pointed to two sections of the standards, one of which says "all audit record entries shall include the time-and-date stamp." The other says error messages, critical system status messages, and a record of a voter "activating and casting each ballot" should be part of the audit log. (It does not, however, explicitly mandate that the outcome of the vote be printed.)

"Because the voter verifiable paper audit trail is one element of the audit function of a voting unit, one could interpret these guidelines as requiring the time stamp have citations within the guidelines," Friedman-Wilson said in an e-mail message.

Johnnie McLean, the deputy director of the North Carolina Board of Elections, said: "Our public records laws don't include that paper record. A voted ballot is considered confidential." In West Virginia, secretary of state spokesman Ben Beakes said: "There would be no way to match the time with the voter because in our poll book system, all you would find is an alphabetical list of the people they voted, not the time they came into the polling place."

Ohio, by contrast, may be unique. "It's my understanding from our legal staff that a public document consists of anything that is in the public domain," said Gallaway, the secretary of state's communications director. "I think that both of those (the time-ordered poll books and the time-stamped paper trail) would be considered that."

That has left computer scientists, already alarmed about the security of e-voting machines, dismayed at the interaction between time stamps and Ohio laws. "Security and privacy and the integrity of the voting system depend not only on the technology, but also on the procedures and the combination of the two," said Stanford's Dill. "This is a case where the combination of technology and procedures are working together to create a privacy threat."
Onee more time (in case you missed it); it's not only Diebold:
ES&S to be Rebuked, Fined and Possibly Banned in CA?
By Kim Zetter August 21, 2007 | 3:12:02 PMCategories: E-Voting, Election '08

California announced today that it plans to hold an administrative hearing on September 20th to discuss the fate of Election Systems & Software for violating state election codes. ES&S, the top voting machine company in the country, is being accused of selling at least five CA counties a version of its AutoMark ballot marking system that hadn't yet been tested or certified for use in the state or the country.

ES&S apparently sold at least about 1,000 uncertified machines to San Francisco, Marin, Colusa, Solano and Merced counties. (The number of uncertified machines delivered to California was supplied by ES&S to the state; CA officials have yet to conduct their own inventory to determine if more machines are involved.)

Per CA law, ES&S could be fined $10,000 per uncertified voting system unit (or $9.72 million) and be required to give a complete refund to counties of all money spent on the machines -- the latter would amount to about $5 million.

Additionally, ES&S could be barred from doing any business in the state for between 1 and 3 years, which would impact more than just the five counties mentioned -- potentially affecting more than 14 counties that use ES&S machines, including Los Angeles County.

The issue raises questions about how many other uncertified AutoMarks the company may have sold to other states.

ES&S did not respond to a request for comment in time for publication.

The AutoMark A100 was certified for use in California in August 2005. However, in 2006, ES&S, by its own admission, sold about 1,000 units of its subsequent AutoMark model -- the A200 version -- to five CA counties months before the system passed federal qualification testing in August 2006. Voting machines generally undergo two stages of testing and certification, first by independent testing labs overseen by the federal government and then by the states themselves. But according to secretary of state spokeswoman Nicole Winger ES&S still has not submitted the A200 system to the state to examine and certify.

Winger also says that the A200 machines had stickers on them (see photo below) that identified them as having passed federal qualification testing, when they hadn't yet passed that testing. Winger says that the qualification stickers that were placed on the A200 machines were the stickers that are supposed to apply only to A100 machines. Winger says it's possible that the stickers were applied in error. But if ES&S deliberately placed the stickers on the machines it could suggest a deliberate attempt on the part of the company to deceive California election officials.

"We are in the early stages of learning about the facts," Winger told me. "We don't know who would have applied the A100 stickers to uncertified equipment."

Winger said the differences between the A100 and A200 systems are significant and easily identified just through visual inspection (see the photos above at right). The size of the motherboard and the types of wiring inside the machines are just two examples of the differences.

"Those are the first things on visual inspection that even a computer novice would notice," Winger says.

ES&S is not the first voting machine company to have sold uncertified equipment in CA. In 2003, the state discovered that Diebold Election Systems had installed uncertified software in machines in 17 counties. (UPDATE: Joseph Hall at UC Berkeley reminds me that Diebold wasn't the only company that had uncertified software running in CA counties in 2003. A subsequent review of all election software in the state at that time found that eight counties were using versions of ES&S software that had not been federally qualified or state certified. Other counties were also found to be using uncertified software made by vendors other than ES&S and Diebold.)

Stephen Weir, the clerk for Contra Costa County, which has 762 AutoMark units as part of a $14 million contract with ES&S, supports Bowen's decision to punish ES&S for violating state laws -- although his county isn't among those that received uncertified equipment.

"If a vendor is using equipment in California that is not certified, they need to get busted," he told me. "If in fact (Bowen has) found equipment that was not ceritifed, that's a violation of not just the trust that a vendor has with election officials and the state, that's a violation of law."

The AutoMark is a ballot marking device that is a hybrid between a touch-screen machine and an optical-scan unit. Voters insert a full-size paper ballot into the system and make their selections on a touch-screen. The machine marks their selections on the ballot before returning the ballot to voters. The ballot is then passed through an optical scanner and tabulated. The machine has been touted as an answer to both the accessibility issues involving disabled voters and the verification issues around paperless touch-screen machines since the machines include audio for blind voters and use a full-size paper ballot that voters can verify before submitting it to be scanned and tabulated.

ES&S has been the focus of much attention in recent months. Last week Dan Rather Reports disclosed that the company was assembling its touchscreen machines in a sweatshop factory in Manila, the Philippines. The company's touch-screen machines are also at the core of a disputed election in Sarasota, Florida.

3 comments:

Anonymous said...

Awesome blog, I hadn't noticed theseditionist.blogspot.com previously in my searches!
Keep up the fantastic work!

Anonymous said...

Hello there,

I have a inquiry for the webmaster/admin here at theseditionist.blogspot.com.

Can I use some of the information from your post right above if I provide a backlink back to your website?

Thanks,
Oliver

Anonymous said...

Greetings,

Thanks for sharing the link - but unfortunately it seems to be down? Does anybody here at theseditionist.blogspot.com have a mirror or another source?


Cheers,
Thomas