----- Original Message -----
From: "Steve Pattison" <[log in to unmask]>
To: "GUI-TALK" <[log in to unmask]>
Sent: Friday, March 05, 2004 4:56 AM
Subject: Fwd: How Safe Is Your E-Vote?
*********** BEGIN FORWARDED MESSAGE ***********
On 2/03/2004 at 1:48 PM John Rae <[log in to unmask]> wrote:
How Safe Is Your E-Vote?
By Lee Nichols
AlterNet - USA, February 27, 2004
It's either the best thing ever to happen to elections, or the stupidest
blunder our elected officials have ever made; the savior of our democracy,
or a conspiracy to steal it; an idea whose time has come, or a hapless
symbol of society's naive faith in technology.
Electronic voting hasn't completely boiled over into the nation's greater
consciousness ... yet. But it's on a high simmer. It has staunch defenders,
passionate detractors, and one way or another, it will make a huge impact
on
the 2004 elections.
The push for computerized voting gained momentum after the 2000
presidential
election, also known as the biggest electoral fiasco in U.S. history. An
appalled nation learned what an imperfect science elections are - hanging
chads, allegations of fraud, and butterfly ballots making Jews vote for Pat
Buchanan. Surely, we were told, in our modern computer age, we could do
better than this.
In some eyes, computers seemed the obvious answer. No chads. No stray
marks.
No spoiled ballots (in fact, no paper). No need for human judgment about
"voter intent" at all. The result was the 2002 federal Help America Vote
Act - which does not specifically require electronic voting, but does
provide funding to help states replace punch-card and lever voting systems.
Many jurisdictions all over the nation are choosing "direct recording
electronic" systems.
But while election administrators are generally enthralled with the new
technology - and a number of companies are rushing to meet the demand -
others are not embracing DRE voting. And the critics are not just the usual
conspiracy theorists. The strongest condemnation is coming from the people
who best know the limitations of computerization: computer scientists.
What will electronic voting mean for Travis Co. (and the rest of Texas) and
how might our experience compare to the rest of the nation?
Electronic Shadows
Perhaps the best way to understand electronic voting in Travis Co. is to
understand what it is not.
It is not Diebold. And it is not ES&S, nor Sequoia. Those three firms are
the market leaders in the electronic voting system business, and thus quite
naturally have become lightning rods - especially Diebold - for the
nationwide movement against electronic voting.
Diebold and ES&S (Election Systems & Software) have some conspicuous
Republican connections that automatically make yellow dogs go on point.
Diebold CEO Walden O'Dell is a Bush "Pioneer" - collecting at least
$100,000
in Bush campaign contributions - and in a now notorious 2003 quote, he said
he was "committed to helping Ohio deliver its electoral votes to the
president next year," a statement widely denounced as proof positive that
Diebold's machines will be rigged to favor Republicans. In context, O'Dell
was clearly referring to fundraising, not vote stealing. But quicker than
you can say "conspiracy," the credibility of his company was damaged. As
for
ES&S, one of its board members (and former CEO) is Nebraska Republican Sen.
Chuck Hagel, raising an obvious question of conflict of interest between
campaigning for votes and producing the machines that will tally them.
But one good reason to doubt the Republican electronic coup theory of
e-voting is that in fact, many of the election officials aggressively
pushing for e-voting - including Travis Co. Clerk Dana DeBeauvoir - are
longtime Democrats.
Many computer experts express much more concrete concerns that the
available
equipment doesn't offer the security an election requires. Three key
studies
have focused on these doubts: A group of scientists at Rice and Johns
Hopkins universities snagged a copy of a Diebold source code that was
inadvertently posted on the Internet and examined it; and the secretaries
of
state of both Ohio and Maryland commissioned studies that were highly
critical of Diebold. All three studies charged that the machines were
highly
vulnerable to tampering. (Diebold responded that the Rice/Johns Hopkins
scientists examined an outdated source code; as for the Maryland study, the
company actually claimed that it praised the Diebold AccuVote machines - a
spin that dismayed the study's authors).
Even more troubling are reports of malfunctions, computer or human in
origin, that have caused problems in actual elections. Among other things,
there have been instances of more votes being registered than were actually
cast, voters pressing on one candidate but the machine registering the vote
for another, or votes simply vanishing.
So what's the difference in Travis Co.? In brief, Hart InterCivic - an
Austin-based company trying to broaden its market, in part with an
apparently more reliable product.
The eSlate Connection
Hart InterCivic morphed out of Hart Graphics, a printing company founded in
1912. In recent years, as the document industry moved increasingly from
paper to electronic formats, Hart developed extensive digitized business
with governmental agencies. In 1999, the government-related portion of the
business spun into the completely separate Hart InterCivic, which is
becoming a major national player in the growing DRE-machine industry.
Hart's product is called the eSlate - a small electronic tablet, of sorts,
specialized for casting ballots in elections. In the summer of 2002, Travis
Co. Clerk Dana DeBeauvoir purchased several hundred eSlates and gave them a
successful trial run in the early voting period of the November 2002
elections. The county went whole hog into e-voting in the spring 2003
Austin
municipal elections, scrapping its optical scanning system altogether.
DeBeauvoir says her choice of eSlate was not simply an attempt to Buy
Greater Austin, but that Hart InterCivic's machine has several obvious
advantages over its rivals.
Unlike Hart's major competitors, the eSlate does not use a touch screen. "I
had trouble with calibration issues on the touch screens," DeBeauvoir says,
meaning that the onscreen "buttons" that the voter presses sometimes slip
out of alignment with the proper sensors underneath the screen. "Not all of
them, but some of them. It's what happened in Dallas [during early voting
in
the 2002 general election, on ES&S machines]; you end up maybe casting a
ballot for the other candidate and don't realize it. They've done some
things in the industry to try to improve it since I first looked at it, so
in fairness to them, I think they have improved their product, but at the
time I was doing the review I found it troubling."
Instead, eSlate uses a wheel-and-button system - the voter turns a dial
until the candidate of choice is highlighted, and then presses a button to
select the candidate, never touching the screen. (As in all DRE systems,
the
voter can correct errors before finally pressing the "cast ballot" button.)
Secondly, eSlate does not use "smart cards," credit-card-sized devices
given
by the election workers to voters, who plug them into a voter terminal,
letting the machine know that the person standing before it is indeed a
legitimate voter. The Rice/Johns Hopkins researchers say that it would be
terribly easy to "homebrew" such cards, which an attacker could then sneak
into the polling place and use to cast multiple votes. The eSlate voters,
in
contrast, are assigned unique personal identification numbers when they
show
up at the polling place, which they then enter into the voting machine. The
number's validity expires either upon casting the ballot, or, if unused,
within a few minutes of its assignment.
Perhaps most important, the eSlate system has no external connections - no
hookups to phone lines, the Internet, or an intranet. While some systems
allow results to be sent by modem to a central vote-counting facility, the
eSlate is comparatively old-fashioned - much like an old-style ballot box,
the devices ("mediums") into which votes are recorded are removed by the
election judges after the polls close and physically transported to the
central counting station. Asked if she would ever try to transmit election
results over the Internet or modem, DeBeauvoir said, "No way. ... Never."
In fact, trying to find specific criticisms of eSlate or Hart is difficult.
Searches of Internet and Nexis databases turn up only minor reports of
human
error and no major security failures by eSlate. And in her book Black Box
Voting: Ballot-Tampering in the 21st Century, Bev Harris - the nation's
most
visible nonscientist critic of e-voting - limited her criticism of Hart to
the company's Republican-leaning investors.
Other critics even give Hart qualified praise.
"Those touch screens are just utter crap," says Rebecca Mercuri, a research
fellow at Harvard University's John F. Kennedy School of Government and a
prominent e-voting critic. "Even the banking industry had gone away from
them years ago, because they malfunction so badly. It's a smart move on
Hart's part to not use that. Also, for the disabled, I think it's a very
nice interface, that sort of wheellike thing."
Dan Wallach, the Rice University scientist who worked on the Diebold study,
says, "I think in terms of human factors, accessibility, that sort of
thing,
the design of the Hart system - where instead of using the touch screen
they
use the rotary knob - I think there are a number of ... benefits to that
kind of design; that somebody who's blind uses the same kind of interface
as
everybody else."
The 'Mercuri Method'
"Of course, it doesn't much matter if everybody uses the same interface if
nobody has confidence that their votes are recorded properly," continues
Wallach.
While concern about DRE voting has barely coalesced into a movement in
Austin, there is a small network of citizens and groups around the region
trading e-mails and worries. A new group addressing the issue, called Texas
Safe Voting, is a coalition among the ACLU of Texas, Campaigns for People,
Common Cause, and the Electronic Frontier Foundation of Austin.
There are two major public objections to all e-voting systems, including
eSlate: None provides a printed ballot for voters to confirm their choices
or that could be used in case of a recount; and, the groups insist, the
hardware, software, and source code should be available for public review.
Even DeBeauvoir admits of eSlate, "Could it be more secure? The answer is
yes."
"The main point about the Hart InterCivic machine is the same main point
that electronic-voting activists and computer security professionals have
been making across the board, which is, without a voter-verifiable paper
trail, no all-electronic voting system can be considered really secure and
reliable," says Adina Levin, director of the Cyber Liberties Project of the
ACLU-Texas and chair of the E-Voting Project of the Electronic Frontier
Foundation of Austin.
DeBeauvoir is not as concerned about computer error - she notes that the
eSlate has triple-redundancy storage mediums than can be cross-checked,
real-time audit logs, and can recall an image of each ballot that has been
cast (although it cannot match the ballot with the person who cast it).
That's not enough, responds Levin. "If I choose on my touch screen or Hart
selector, and something goes wrong between the thing that I choose and the
thing that gets written electronically, even if it gets written in three
different places, or 10 different places, or a hundred different places,
it's still different from what I selected. And if I don't have an
independent way of recording what I [saw on the computer screen] and going
back to check, there's no way of knowing. You're never, ever gonna know."
The paper system proposal is simple enough: After a ballot is cast
electronically, a paper copy would be printed and verified by the voter; if
a voter says the printed vote does not match what he or she selected, the
vote can be nullified and recast, and possibly the machine checked for
malfunction. ( A bill before Congress would mandate such a "voter-verified"
system, and California Secretary of State Kevin Shelley has ordered that
all
election systems in his state have one by 2006.)
DeBeauvoir has her doubts. She wonders how such a system could accommodate
those who are vision-impaired - a driving force behind the e-voting push is
compliance with the Americans With Disabilities Act, and e-voting systems
provide headphone audio that allows blind people to vote without
assistance.
She also expresses concern over the mechanics of such a process: Could a
voter walk out with the paper ballot? Does the voter get his/her own copy
(raising the fear of vote buying)? Is the paper ballot printed before or
after the "cast ballot" button is pressed?
Mercuri says she has an answer for all those questions; a system she
devised
that her colleagues have dubbed the "Mercuri method."
"There's a script, and all of the election officials have these negative
points. I've heard them before, I've heard her say them," says Mercuri.
"I've explained this to her [Mercuri and DeBeauvoir both serve on the
Elections Security Subcommittee of the Institute of Electrical and
Electronic Engineers], and she's heard me explain this on at least two
occasions, so the fact that she's still saying that is amazing.
"That's ridiculous. Nobody ever says that when we're talking about, you
know, like an optical scan ballot: 'Oh, the people are going to leave the
polling place with the ballot.' First of all, if a person leaves with it,
then they didn't vote. If you're going to go to that type of system, people
need to understand that. Now, if you go to my article called A Better
Ballot
Box, you'll see a picture that shows how it could work. ... The person
never
touches the piece of paper. ... When they see the vote on the screen and
they're ready to vote, they say OK, print the paper. It prints it out
behind
a piece of Plexiglas; they see paper behind the piece of Plexiglas; if they
agree that it's OK, they press the button and it drops in the box. So how
can they walk out with it?"
As for the disability issue, Mercuri says that visually impaired or even
illiterate voters could use voice-feedback scanners to read the paper
ballot.
In any case, DeBeauvoir cannot implement a paper-trail system - any changes
to voting machines or balloting procedures must first be approved by the
Texas secretary of state, and then by the Travis Co. Commissioners Court -
so voters will have to settle for another paperless election. DeBeauvoir
insists that she is not necessarily opposed to a printed ballot system.
"I'm
willing to do it," she says, "if [Travis Co. citizens] decide it's the
right
thing to do." She said she wasn't sure how much it would cost to retrofit
Travis Co.'s 1,800 eSlate machines - which are not currently designed to
hook up to a printer - but "a ballpark estimate would be a million
dollars."
Hart InterCivic vice president William Stotesbery told a recent Austin
forum
on e-voting that the industry sees the writing on the wall on paper ballots
and will move in that direction anyway. But he also told the Chronicle that
in addition to the cost, "What worries me about paper is introducing a
false
sense of security. There was election rigging with paper ballots, too."
Going to the Source
Paper ballots aside, voting machine companies are much less likely to share
their source codes. (Source codes, often copyrighted, are the digitized
instructions programmers use to define and operate a particular type of
software.) At the moment, they flat-out refuse to do it, arguing that
secrecy protects both their proprietary secrets and election security.
Wallach disagrees. "Open source is not a panacea for security problems,
although it's often a good thing," he told the same e-voting forum that
Stotesbery addressed. "Open source means that you have the opportunity for
people who care to go have a look. Diebold accidentally opened their
source,
and we found a number of problems, and as a direct result of that, other
people have been hired to go have a look. Open source doesn't necessarily
imply that you're giving a source code away for free; it doesn't mean that
you're giving your intellectual property for the whole world to use.
"An argument that's often made as to why you shouldn't give source code
away
is that if the bad guy can see the source code, that gives the bad guy an
advantage, so we should prevent that. These arguments are typically
referred
to as 'security through obscurity,' and it just doesn't work, and it never
has, and it never will. The bad guy will always know how it works, because
one of those machines will fall off the back of a truck. It's just a matter
of time. Then the bad guy can tear it apart. Or the bad guy can go Dumpster
diving and find a burned CD with a copy of your source code somebody made
as
a backup, or the bad guy can get somebody employed at your firm, perhaps as
a janitor, perhaps as a programmer, and walk away with your source code. So
as long as that's part of your threat model, and I think that's a
reasonable
threat model for an election, you can't build your security around the
obscurity, so you should build it around something else."
Wallach explained further: "An ATM is secure despite the fact that bad guys
know exactly how it works. A voting system should work despite the bad guy
knowing."
Stotesbery responds, "Frankly, we think that security and protection of the
code does increase the security of it, and we have a difference of opinion
on that. ... Our customers feel more comfortable with it not being open in
most cases, [and] we feel more comfortable with it." Stotesbery also says
that the code actually isn't completely secret, as it is submitted to
governmental agencies for certification, under the condition that it is not
made public; and he insists that copyright and patent law alone are
insufficient to protect trade secrets.
The Ohio secretary of state report, completed in November of last year,
raised additional concerns: Hart does not use encryption to protect
election
data sent from the eSlate machine to the election judge's controller booth;
supervisory functions in the booth (including the button to close the
polls)
do not have a mandatory password; and the machines are all connected to the
booth through a "daisy chain" of cables that an unauthorized person could
easily reach and accidentally or intentionally unplug, disrupting the
election.
While the report labeled these as "high risk" problems, DeBeauvoir and
Stotesbery disagree - Travis Co. already requires a password, she said, and
Hart plans to redesign the eSlate to make passwords mandatory; Hart plans
to
incorporate encryption, and in any case, the data only travels a few feet
from the voting booth to the judge's booth. Finally, should the daisy chain
be unplugged, DeBeauvoir says, no data would be lost and the machines could
be reconnected and rebooted in a few minutes. (Hart fared better in the
Ohio
study than any of its competitors, which had more risk areas identified,
including the possibility of outside parties getting access to a DRE system
and altering the data within it.)
Cross Your Fingers
One of the charges in the Rice/Johns Hopkins study was that "many
government
entities have adopted paperless DRE systems without appearing to have
critically questioned the security claims made by the vendors." DeBeauvoir
wants to reassure Travis Co. voters that that doesn't apply here. Indeed,
DeBeauvoir convened a diverse task force to help her analyze the vendors
that sought Travis Co.'s business, a group including experts in computer
security, programming, legal issues, and conducting elections.
The first task was to design theoretically the type of system that Travis
Co. needed: "We knew we wanted certain things for our protection. We knew
we
wanted to have the exclusive control over the setting up of each ballot.
...
We did not want the vendor to do that." They wanted to be able to produce a
paper copy of each ballot (for later recall, not to be confused with
Mercuri-style immediate printing), different kinds of audits, and equipment
that couldn't be easily broken into, especially nothing that could be
accessed with a keyboard. (Some other systems, including Diebold, are
keyboard-accessible.)
"They also helped me design, for the second round, the series of questions
that we would ask these vendors. And what they suggested and what we
ultimately did was, [have the vendors] teach you how to do the system ...
and then send them away. My people had to be responsible for being able to
operate the system themselves. And I will tell you, we tried to break every
system they gave us. I wanted to break into it, tamper with it, I wanted to
see if I could do anything. We did lots of, sort of, call it dirty tricks.
We tried to mess it up. Not all of our systems that we evaluated for
purchase passed those tests. There were some gaps in security in a couple
of
the systems." DeBeauvoir didn't want to name the specific vendors for legal
reasons, "but there were a couple of vendors we wouldn't consider buying."
She says she reviewed all the DRE systems that have been certified in
Texas,
including the Hart eSlate, Diebold's AccuVote, ES&S's iVotronic, and
Unilect's Patriot.
She also required that the systems allow her to do manual logic and
accuracy
testing. "Now that's outside the scope of law, but to me what that says is,
you're not relying on the machine to check itself." Her election workers
manually enter every bit of data for every ballot for each different
precinct. "That's one of the things that the computer security person
recommended to me that I do. And to tell you the truth, I kind of balked at
it at first, because [I said], 'Ugh, do you know what it's going to take to
do that? Are you crazy? These systems can check themselves.' But I'm glad
he
did it, because what we found was, it was a better way to confirm that
every
piece of equipment worked and that every ballot was correct."
None of the above means that Travis Co. voters can truly rest easy. While
we
may be using one of the best-designed DRE systems available, other
jurisdictions in Texas and around the nation have chosen the bigger market
leaders, either unconcerned by or unaware of security questions. It's easy
to imagine a train wreck heading for us that will make election 2000 look
like a speed bump. If we're lucky, it will vaporize like the Y2K scare. All
DeBeauvoir can do is take care of Travis Co., and she says she's trying her
best. She says some of the e-voting critics "can be antagonistic," and "I
don't agree with all of the assumptions [they] make, but it's important to
listen. If nothing else, if we end up doing nothing more than appeasing a
worry that is a little dubious and perhaps way out there on the risk scale;
if we end up taking steps that appease them and their concern, then all
we've done is make more people more comfortable.
"I have to serve as an advocate for voters," DeBeauvoir says. "If we've got
some people out there who are less than confident, then they've got every
right to ask the question and get an answer, and if they're still not
confident, then we keep that conversation going. It's not up to me to say,
'Oh that's just not a real problem,' or 'It's just silliness,' or 'You're
not educated enough.' That's not my role. My role is to keep answering."
You can bet they'll keep asking.
Lee Nichols is assistant news editor of the Austin Chronicle.
*********** END FORWARDED MESSAGE ***********
Regards Steve,
mailto:[log in to unmask]
MSN Messenger: [log in to unmask]
VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask] In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html
|
