Friday, August 29, 2008

Proposed Mitigation for GEMS (and other EMS) Vote Deletion

Updated August 29, 2008 to emphasize the point that this is NOT just about "electronic voting machines", undisclosed software, or paper ballots, as some have suggested. It's about Election Management Systems, software bugs (disclosed or otherwise), checks and balances, and good old common sense.

So Diebold/Premier's Global Election Management System (GEMS) drops votes from precinct-based tabulator uploads. Surprise, surprise!




Even if this were not happening all by itself, it was demonstrated four years ago that it's trivial for an insider, or an outsider with GEMS access, to make this and even worse things happen by way of GEMS' Microsoft Access database and perhaps other vendors' "central tabulators." Therefore the potential for central tabulator vote miscounts, as well as manipulation, is nothing new -- and it does not necessarily depend on the use of "electronic voting machines." Any voting system is at risk if there are no checks and balances!

The GEMS code has been reviewed from "Top to Bottom" and this latest bug was not detected, proving yet again that NIST researchers had it right when they said that
"experience in testing software and systems has shown that testing to high degrees of security and reliability is from a practical perspective not possible." [Emphasis added]

During the last 4 years, no federal legislation, other than the ill-fated H.R.6414 in the 109th Congress, has been proposed to deal with this problem, even though the problem could be widespread and can be easily mitigated. (See this March 2007 post here at Election Integrity: Fact & Friction for more information.)

So Fix It Already!

The audit that needs to be conducted to find precinct aggregation errors is called a precinct aggregation audit. It could in fact be a 100% audit or "recanvass" of all precincts' election-night tallies, including but not limited to those produced only by software. While post-election auditing usually means comparing hand counts of a sample of paper ballots or VVPATs to software-determined counts of the same votes, in this case the audit need not be limited only to paper. See this story about how the Iowa Democratic Party made such an audit possible for their 2008 caucuses, which are actually voice votes.

Paper is not a requirement for such an audit, except for the permanent paper record produced by the voting system according to HAVA Section 301, which can be used to correct central tallies found to be in error in the event there are no voter-verified paper records to count by hand to make such corrections. This should be a requirement for all jurisdictions and could apply to paper-based, paperless, lever machine, and even hand counted paper ballot voting systems.

As for jurisdictions who do vote on paper, on July 18, 2008 here in NY, where fortunately we still don't have e-vote counting, we proposed regulations to deal with this sort of thing in the future. They coordinate the usual post-election "spot-check" audit (and hopefully a better audit that will eventually be approved by the State Board of Elections) with NY's existing 100% recanvass law that is already applicable to lever machine tallies. Here is the text of the proposed regulation for anyone interested in writing one for their state, or telling the NY State Board of Elections to approve this one and our other improvements to Part 6210.18 preferably before the State rushes headlong into unreliable e-vote counting for no particularly good reason.

As always, the term "election district" in NY is synonymous with the more generic term, "precinct."

Section 6210.18 Recanvass and Audit of Vote

A. Prior to the audits required by this section, the recanvass of vote in every election district (ED) in the state shall be conducted pursuant to NYS Election Law Section 9-208 by comparing all electronically displayed, recorded, printed or transcribed tallies of the vote in each ED, including those displayed, reported or aggregated by any centralized election management or tabulation software. Any discrepancies found in the recanvass of vote shall result in an immediate manual recanvass of all the voter-verifiable paper audit trail records produced or counted by any machine or system used to tally the vote in any ED in which such discrepancies were found. Pursuant to NYS Election Law section 9-211(5) and notwithstanding any other provisions in these regulations, if a voting machine or system is found to have failed to record votes in a manner indicating an operational failure, as evidenced by a discrepancy between two or more electronically displayed, recorded, printed or transcribed tallies, the board of canvassers shall use the manual tally of the voter verifiable paper audit trail records to determine the votes cast on such machine or system, provided such records were not also impaired by the operational failure of the voting machine or system. Such recanvass of votes made pursuant hereto shall thereupon supersede the returns filed by the inspectors of election of the ED in which the original canvass was made.
Now the State Board of Elections has not approved this proposed regulation....yet....but they haven't certified any e-vote counting systems either. So as usual, we are treading water here in the Empire State. Things could be worse.

We can only hope that this and other proposed regulations to deal with e-vote counting will actually be adopted -- prior to the implementation of such high-risk systems to replace lever voting machines. But better yet, let's forget the whole e-vote counting thing, keep the lever machines, and get back to running free and fair elections! That would be real progress.

As for the rest of you who actually have your votes counted on this junk, please try to get with the program before there's an election or something!

Sunday, August 17, 2008

NEW YORK'S BACK DOOR TO THE BALLOT BOX

Due to the unobservable and mutable nature of software used to count votes at elections, full or partial post-election hand recounts of voter-verified paper ballots (VVPBs), also known as post-election audits, are now considered by many to be the "gold standard" of election integrity. Historically, this has not been the case, but as a recent electronic voting system security paper by Haldeman et al (who have actually hacked optical scan and DRE e-vote counting systems for the State of California and demonstrated some of their work to members of Congress) stated:

"While conducting a thorough audit may be time consuming, it provides a higher level of confidence in the integrity of the result than any other mechanism we have been able to identify."
But in 2008 in the State of New York, some disabled voters whom HAVA was intended to help may be putting their votes at risk, even if their ballots are counted by hand. And in 2009, they may have a lot of company. This is because at least one electronic vote-counting system, to be used only as an accessible ballot marking device (BMD) this year in dozens of counties in the state, features a low-tech way to corrupt even a rigorous post-election audit procedure or a full hand count: an old fashioned stuffable ballot box.

As this video by election integrity advocate Rady Ananda and attorney Andi Novick clearly shows, software-based electronic vote counting is not the only thing New Yorkers will have to worry about in the state's rush to comply with HAVA:

Attorney Andi Novick inserts several ballots into a slot on top of the Sequoia/Dominion ImageCast precinct-count optical scan voting system that enables stuffing of the locked ballot box.

You can read more about this at Op Ed News, but it's no wonder that Novick, who founded the Election Transparency Coalition of NY, is planning on suing the state for violating its own Constitution by allowing electronic vote counting, and now perhaps even facilitating the kind of old fashioned paper ballot box stuffing reminiscent of Tammany Hall.

To date, we are not aware of any other open-ended vulnerability, security or penetration testing of the Sequoia/Dominion ImageCast machine, but clearly, it is only too easy to penetrate with low-tech methods such as ballot box stuffing. New York will be hand-counting the BMD ballots this year, instead of relying on software-driven optical scanners which have thus far exhibited hundreds of discrepancies in their source-code reviews against the 2005 federal Voluntary Voting System Guidelines that the state requires voting systems to meet as part of its certification process. But even a full hand count cannot compensate for a stuffed paper ballot box!

There ought to be a law -- and wouldn't you know it? There is!

It's not as if previous New York legislatures hadn't anticipated such nefarious intent; ballot box stuffing is as old as the hills. So what remedies does the NY Election Law provide in the case of a stuffed ballot box?

In their wisdom, our forefathers decided that the best way to deal with a stuffed ballot box was not to count the stuffed ballots. But because a clever attacker would take great pains to ensure that there was no way to distinguish between stuffed ballots and those cast legitimately,
Election Law § 9-110 (2) states:
"[S]uch ballots shall all be replaced, without being unfolded, in the box from which they were taken, and shall be thoroughly mingled therein, and one of the inspectors shall, with his back to the box, publicly draw out as many ballots as shall be equal to such excess and, without unfolding them forthwith shall enclose them in an envelope which he shall then and there seal and endorse 'excess ballots from the box for ballots for the general election, presidential electors, or party ballots or otherwise', as the case may be, and shall sign his name thereto, and place such envelope in the box for defective or spoiled ballots."
In other words, the number of excess ballots must be randomly removed from the box, without anyone even knowing which ballots were legitimate or which had been illegally stuffed. Such ballots are then set aside -- never to be counted!

While such measures may seem draconian, randomly disenfranchising some voters whose ballots are removed from the box is preferable to allowing the counting of all the excess ballots that are known to be fraudulent. Stuffed ballots would most likely contain votes exclusively for a particular party or candidate, some of which would be removed at random under the law. Even so, in a highly partisan precinct that votes 90% for the preferred party, a ballot box could be stuffed with ballots voted 100% for the opposition, thereby suppressing the preferred party's advantage. Removing ballots at random and not counting them would do little to ameliorate this situation, but it's the best that could be hoped for under the circumstances.


Obviously, it's very likely that voters would be disenfranchised if legitimately cast ballots happened to be randomly removed. Unfortunately, this year in New York, the voters most likely to be victims of a ballot stuffing attack would be the very voters HAVA was intended to help -- disabled voters.

So much for the election-night count; what about those post-election audits?

For decades, statisticians and EI advocates have known how to calculate the number of ballots that need to be hand counted to see who won elections counted by software with high confidence. It's not usually all the ballots, but at times, such as the 2000 Presidential Election in Florida and the 2004 Gubernatorial contest in Washington, a full hand count (or perhaps preferably, a re-vote or runoff election) is necessary.

In a ballot stuffing scenario, a properly designed audit that also includes ballot accounting will reveal more ballots than voters (unless of course the poll books were also "stuffed" with fake signatures), but election results will still be spoiled by ballot stuffing unless the auditors could discern legitimate ballots from fraudulent ones. This would not be an easy task.

A current draft of the New York State regulations for optical scan voting systems would allow about 4,000 legitimate ballots per box, and the poll worker training manual for the Sequoia/Dominion ImageCast states that the the system's ballot ID number only "distinguishes between ballots from different districts, but can never be used to identify an individual ballot or voter." New York's Constitution requires secret ballots.

What’s worse, if the machines and ballots were left unattended in a warehouse with their back-door ballot stuffing slots exposed, anyone could insert extra ballots that could be used to disrupt a post-election audit; trigger an expanded audit when vote count discrepancies were discovered; and even trigger a fraudulent recount of all the paper ballots which, under NY Election Law, could change the outcome of an election.

At the very least, an election could be thrown into a state of chaos and uncertainty, resulting in litigation that could drag on for months after the reported winner has taken office, undermining public confidence.

So, how do we protect disabled voters who choose to cast their ballots on these insecure "HAVA-compliant" systems? At the Aug. 4th State Board of Elections meeting, Co-Chair Douglas A. Kellner suggested hand counting these paper ballots on election night at the polling place. That's a step in the right direction and regulations may soon be drafted to require it.

But in 2009, nearly all New York voters will be expected to cast paper ballots at polling places, have them optically scanned, counted by computers, and deposited into these stuffable ballot boxes. So what's the plan to protect the rest of New York's voters?


Everything Old Is New Again

Until now, stuffing ballot boxes at elections in New York was thought to be a thing of the past, thanks to our decades-old, yet reliable lever voting machines. We can only guess what other “back doors” may exist in the proprietary, unobservable, undetectably mutable ImageCast software, but if this obviously shoddy hardware design is any indication, it could be the tip of the iceberg. New Yorkers therefore need to think twice before actually allowing their votes to be counted on such machines.

Professor Bryan Pfaffenberger of the University of Virginia Dept. of Science, Technology & Society was awarded a National Science Foundation grant to study the lever voting machine. In Machining the Vote, he defends levers, which were designed with an eye toward preventing paper ballot fraud:
"Having studied the history, I strongly believe that there would be no such call for paper if the ugly history of fraudulent practices enabled by paper ballots were known -- unfortunately, the American people have forgotten the lessons they learned a century ago, and I greatly fear that we will have to repeat them in order to learn them again.

"In my analysis, the lever machine deserves recognition as one of the most astonishing achievements of American technological genius, a fact that is reflected in their continued competitiveness against recent voting technologies in every accepted performance measure."
Dr. Richard Hayes Phillips, who like Rady Ananda, and unlike many armchair investigators and pontificators, has first-hand experience investigating the 2004 Presidential Election in Ohio, wrote in a recent essay entitled: In Defense of Lever Machines,
"I simply will not defend the use of paper ballots if they are transported to another location before they are counted. I would much rather have lever machines counted at the polling place than any system, paper or paperless, counted elsewhere."
Some may claim that software-driven "precinct-count" optical scanners fulfill this requirement, but how do we know that the paper ballots will in fact be counted correctly by these special-purpose trusted computing devices? (Hint: we don't!)

Once again, it's important to remember that the reason for a post-election audit is that we can't trust election results produced only by software. Don't be lulled into a false sense of security because the software has been "certified." Researchers at the National Institute of Standards and Technology have clearly stated: "[E]xperience in testing software and systems has shown that testing to high degrees of security and reliability is from a practical perspective not possible." [Emphasis added.]

And as e-voting expert Dr. Avi Rubin of Johns Hopkins and the ACCURATE center ruminated in his blog:
"The current certification process may have been appropriate when a 900 lb lever voting machine was deployed. The machine could be tested every which way, and if it met the criteria, it could be certified because it was not likely to change. But software is different. [Y]ou cannot certify an electronic voting machine the way you certify a lever machine.... [W]e absolutely expect that vulnerabilities will be discovered all the time....

"Software is designed to be upgraded, and patch management systems are the norm. A certification system that requires freezing a version in stone is doomed to failure because of the inherent nature of software."
A post-election audit, widely viewed as the best we can do to mitigate the risks of software-based electronic vote counting systems, can only be effective if the chain of custody of the paper ballots is absolutely secure. We are not convinced that this will be the case with the system shown in the above video that has already been purchased by most New York counties for the exorbitant sum of $12,000 apiece. (Not to mention the fact that the State Board of Elections has yet to approve our suggestions for risk-based post-election audits, leaving up to 97% of the vote in the State counted only by software.)

The Worst Voting System Around

Let's stop pretending that e-vote counting systems -- with or without paper trails -- are safer overall than a voting system comprised mainly of lever voting machines. There is no evidence to support such claims, especially given the way paper ballots are being used and abused -- particularly with respect to software-driven computerized optical scan "recounts" that are rapidly becoming standard practice in state after state in lieu of the even less trustworthy DREs they are replacing.

The fact is, like democracy itself, lever machines are the worst voting system around -- except for all the others that have been tried.


If you vote in New York, and you'd like to sign the petition in support of Andi Novick's lawsuit to stop the State from replacing lever voting machines and counting votes with software, or to become a plaintiff in the case, go to: http://www.petitiononline.com/etcnysls/petition.html.