E-Voting: Something Broken In Need of Something New
posted by Danielle Citron
Vendors assure us that security concerns about their e-voting machines are overblown and that bugs are a thing of the past. But the overwhelmingly evidence suggests otherwise and, at least for Premier (formerly Diebold), these claims ring hollow. Consider these recent events. Last week’s public hearing held by California’s Secretary of State Debra Bowen confirmed that a coding error in Premier’s Global Election Management System (GEMS) tabulation software automatically deletes the first batch of tallied votes from optical scan paper ballots after they are fed into optical-scan machines. As testimony made clear, that software flaw erased 197 vote-by-mail ballots in the November election in Humboldt County, California. At the hearing, Premier representatives admitted that every version of its GEMS tabulation software fails to record significant events that occur on the machines, including when errors in the software deletes votes or when election officials intentionally delete ballots from the system. This problem is widespread as GEMS software tabulates votes for Premier’s touch-screen and optical-scan machines used in more than 30 states. Why are such audit logs critical? They record events that occur on voting systems to ensure the integrity of elections and to help identify the source of any problems in those machines.
These kinds of problems are particularly serious as vote rigging isn’t the unheard of occurence as vendors suggest. For instance, a 10-count indictment unsealed last week accuses five Clay County, Kentucky officials, including a county clerk and election officials, of engaging in corrupt tactics to obtain political power and personal gain in violation of the federal RICO statute. The indictment alleges that an election officer defendant marked votes or issued tickets to voters who had sold their votes and changed votes at electronic voting machines. Another defendant is accused of instructing election officers on how to change votes at the voting machines. Not suprisingly, Colorado’s Election Reform Commission has recommended that county clerks do away with e-voting and shift to all-paper ballot system by 2014. But is that the answer given our long history of fraud with paper ballot systems and the complexity of local voting ballots? Your insights are sorely needed.
March 26, 2009 at 9:57 am
Posted in: Administrative Law, Technology
Print This Post
Responses (4)
JT - March 26, 2009 at 11:13 am
In the Kentucky case, it is worth noting that the business of changing votes cast on the electronic machine was done not through hacking or other electronic wizardry unique to electronic voting systems. The machines have, as mandated by HAVA, a final screen for voters to review their ballot and make sure that when they thought they had pushed the button for Smith, the vote had not been cast for Jones. (This is a good thing.)
The indictment alleges that the defendant poll workers took advantage of the voters’ unfamiliarity with the new voting machines. They informed voters that when the voters “had pushed a button labeled ‘Vote’ that their votes had been cast, when, in fact, that function merely provided a review screen of the voter’s selections in each race, and that the further step of pushing the ‘Cast Ballot’ button was required.” The poll workers could then change the votes when the voter had left the booth. (Clever, but nothing to write home about as vote fraud schemes go.)
Other voting systems are susceptible to similar trickery, especially when they are new and unfamiliar to voters; indeed, the unfamiliarity of voting devices and procedures almost certainly has a greater disfranchising impact than intentional fraud.
The Humboldt situation appears to show a more serious problem with electronic machines. The efficiency of electronic equipment seems present not only when the machine is operating properly, but also when a human makes an error, as humans are prone to do. Thus a mistake by the poll official or programmer, with marvelous efficiency, erased a large number of ballots rather than just one or two, with a flick of the wrist. I don’t know enough about computers to know whether it would be possible — with the appropriate proprietary codes — to reconstruct the erased ballots.
Steven M. Bellovin - March 26, 2009 at 4:57 pm
Let me refer folks to Matt Blaze’s blog post on the Kentucky incident: http://www.crypto.com/blog/vote_fraud_in_kentucky/
The last paragraph is frightening: “But that’s not the worst news in this story. Even more unsettling is the fact that none of the published security analyses of the iVotronic — including the one we did at Penn — had noticed the user interface weakness. The first people to have discovered this flaw, it seems, didn’t publish or report it. Instead, they kept it to themselves and used it to steal votes.”
What I teach my classes is that you don’t go through strong security, you go around it. A consequence of that is that someone evaluating the security of a system — any system, not just voting machines — has to look at the *entire* system, including the people-facing parts. Thus, the easy way to get a fake US passport is not to forge one; rather, you steal some identity documents and get a genuine passport in someone else’s name: http://fcw.com/articles/2009/03/16/us-passports-vulnerable-to-fraud.aspx
I don’t think there are easy answers to voting systems. The advantage of paper ballots is not that they’re fraud-proof; rather, it’s that there’s something to examine later. In the Humboldt County case mentioned above, the pieces of paper can be rescanned once you’ve determined that there’s a problem. One can do forensic examinations of the ballots. I’ve seen pictures of election officials opening and inverting the ballot boxes before a crowd, before the start of voting, to show that they’re empty.
Software, by contrast, is fiendishly difficult to audit. You will *not* find malicious code unless you’re both very skilled and very lucky — and that code can delete or tamper with more or less anything.
The challenge is not to react reflexively and adopt one technology instead of another; rather, it’s to find the one that both minimizes fraud and maximizes the opportunity to detect residual fraud.
Miriam - March 26, 2009 at 10:59 pm
We have an excellent system in Minnesota. We use paper ballots that are then optically scanned. This gives us the safety of paper ballots with the efficiency of electronic counting.
It is not perfect – but really the problems we had with the current recount were due to absentee ballots – not votes that were cast on Nov. 4th.
Joe - March 27, 2009 at 9:47 am
So we’re back to paper ballots? Sometimes the more complicated, technologically advances alternative isn’t necessarily better or more efficient. It’s just more complicated.
Leave a Reply