Slashdot Mirror
Inside Electronic Voting Machines
Alien54 and several other people wrote in about a couple of stories published in a New Zealand webzine: an examination of an electronic voting system, and some less interesting political speculation about it. Diebold voting systems are in fairly wide use, and apparently provide zero security to keep election officials from writing in whatever election totals they want.
Suddenly hanging chads aren't so silly anymore...
The cancel button is your friend. Do not hesitate to use it.
It should be required that machines use open-source code, and some mechanism be provided for public inspection of the machines to verify the code hasn't been altered, some sort of checksum mechanism.
The short story is that they were all very flashy and glitzy, but all had severe problems with security and/or usability. We eventually decided to run a pilot program in last year's off-year election and try out 5 of the most promising machines in a real-world election. The final winner will be used across the state in 2004.
No more hanging chad, but I think we are going to have a whole new set of problems to deal with.
"Then we can get to work on helping the rest of the world with their troubles."
Maybe if you looked outwards more, at countries who can already run a fair election for example, then p'raps you could get around to helping us all out much quicker!!!
Any computer data can be quickly and easily changed. The best solution I can think of is to print out two paper receipts for each vote, one to go to the election commission (for manual recounts) and one to go to the voter. Each receipt would contain a random code which the voter could then type in on a web site to verify their choices have not been changed. Of course, most people wouldn't bother to verify, but it only takes one person to catch vote fraud.
"Freedom means freedom for everybody" -- Dick Cheney
The only solution I can suggest for an all-electronic voting system would require extensive use of cryptography. Every voter would have to register a public key and every vote would be cryptographically signed. This would require a database of public keys outside of any political influence and it would also require that voters keep their private keys secure, both of which are enormous problems.
Given these drawbacks, an antequated punchcard system doesn't seem quite so bad...
The US military wants to make sure that US servicemen/women overseas can vote. That's not a bad thing and there is a US law that requires this.
But there is a bad thing - the system they are promoting runs on MS Windows - including Win 95/98 - using Internet Explorer (5.5 and up) and Netscape.
Somehow they have in their minds that if they run HTTPS and require anti-virus software that the machines will be secure enough so that votes made through those machines won't be buggered.
Oh, and did I mention that the voter registration occurs through the same machines and same web-browser/https mechanisms?
Seems to me that this is a recipie for disaster - I don't consider any operating system safe from tampering, particularly none of the MS products. And these machines will likely be shared by many people, configured by DHCP (itself a security risk), perhaps with programs being loaded over insecure nets from insecure file servers, and crossing the internet via web proxies, "transparent" web caches, WCCP, and who knows what else.
This could make Florida 2000 look like a picnic.
Their article is interesting, but a bit misguided IMNSHO. First they harp on the three sets of ledgers. Well what's the big diff. They say that this somehow allows more leeway to fudge, well actually it doesn't. The fact is that you have to know that there are three sets and exactly which sets of reports get their data from which sets (a very lame attempt at security thru obscurity?). Having a single ledger means that you only have to go to a single place to mess with things.
But the biggest problem with there report is that they spend a lot of time talking about essentiallly one issue, that the tables are available for anyone with the password to edit and manipulate. There doesn't seem to be any type of tiered access and because they use access, a TRUE audit trail can not be created.
I would think that a voting system would be important enough to warrant the extra time to create a custom DB that audits absolutely everything to a file/table that can't be touched by anyone but the app (e.g. only the app can add rows and rows can never be deleted). I assume that Diebold was able to use Access because it made their bid lower and the company that actually had a decently secure system was underbid.
I smell a voter's lawsuit, oh to be a lawyer.
Vote tallies have been different from exit polling in recent elections (that's one of the reasons people were looking at Palm Beach County), and what has it gotten us? Besides, in 2002 we had almost no exit polling because of the convenient demise of the Voter News Service. Exit polling is hardly a solution to flawed electronic voting systems.
Fortunately, as someone who has served as an election judge (working the polls) in Minnesota, I can tell you that these concerns are a little overblown. We use the optical scan machines here, and we submit the precinct detail report (list 1 for those who read the article) to the county electronically and in paper format (3 copies). Additionally, we have all the paper ballots that were filled out by the voters carefully stored in the machines during the voting period, and then mailed to the county in sealed envelopes and signed by all the election judges.
Not only is the written process pretty fail-safe, but I worked an election where there was a discrepancy between our ballot count (kept as people vote) and the machine count at the end of the day. We hand-counted all the ballots (they were bubble test style, so no hanging chads or dimples) to make sure the count was accurate. Even if someone had hacked the voting machine, there was little chance for them to bust into the voting machine to steal or alter the ballots.
Additionally, although some nefarious person could hack the machine, I have no idea when they would. Most polling places have a team of election judges present from the time the machine is unlocked until after the results have been transmitted. Judges are not supposed to linger near the voting machine for any length of time. Certainly it's important to implement appropriate safeguards in the software (such as the automatic numbering system that was disabled for the log file), but chances of election fraud due to machine tampering are pretty darn low.
Under capitalism man exploits man. Under communism it's the other way around.
It doesn't have to be the Republicans themselves. Just people who would benefit from them being in power.
It may interest you to check campaign contributions from executives at Diebold. They seem to like to give quite a bit of money to the Republicans. Just a quick taste:
Walden W. O'Dell
Chairman of the Board, President and Chief Executive Officer, Diebold
2/14/01 $2,015.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
12/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
1/30/01 $3,950.00
RNC REPUBLICAN NATIONAL STATE ELECTIONS COMMITTEE
8/16/01 $500.00
VOINOVICH FOR SENATE COMMITTEE
12/17/97 $1,000.00
VOINOVICH FOR SENATE COMMITTEE
6/30/00 $1,000.00
DEWINE FOR US SENATE
Yes, Diebold and ES&S are both closely tied to the Republican party, and have been for a long time. If you look at their campaign contributions for the last election, you will see that everyone that gave, gave only to the GOP.
Chuck Hagel still owns stock in ES&S's parent company. He has won every election that used ES&S machines to count the votes.
photosMy Photostream
I found this gem on alternet:
While we may look at hacking or intentional fraud as one of the only (or few) potential abuses WRT electronic voting, we might forget about structural abuse like we've seen in Florida. It makes me laugh when someone comments on a vote saying "the people have spoken". We should just roll dice instead..."What is the sound of one belly slapping?"
Try to reconcile these comments with how the system is secure with the system that was described by Bev Harris... It is full of strawmen. I think my favorite part is that they'll keep it secure by never allowing patches to be applied to the Microsoft Windows OS.
- begin here -
Security in the Georgia Voting System
Britain J. Williams, Ph.D.
April 23, 2003
Introduction: The State of Georgia replaced all voting systems statewide with a computer-based voting system. This system, known as a direct recording electronic (DRE) voting system, was first used in the November 2002 election. This voting system, described in the next section, is computer based. As a result, questions have been raised regarding the vulnerability of the system to attacks by hackers and persons attempting election fraud.
Overall security of any computer-based system is obtained by a combination of three factors working in concert with each other. First, the computer system must provide audit data that is sufficient to track the sequence of events that occur on the system and, to the extent possible, identify the person(s) that initiated the events. Next, there must be in place well defined and strictly enforced policies and procedures that control who has access to the system, the circumstances under which they can access the system, and the functions that they are allowed to perform on the system. Finally, there must be in place physical security; fences, doors, locks, etc.; that control and limit access to the system. This article describes how these factors are incorporated into the election system in the State of Georgia.
Overview of the Georgia Voting System: The computer-based election system deployed in the State of Georgia is classified as a direct recording electronic (DRE) system. The components of the system consist of the following:
Standard personal computers running an executable module known as GEMS, Global Election Management System. This system, called the GEMS computer, is used to define the election, enter the candidates and questions, and format the ballots for the voting devices. This computer also accumulates the votes after the polls close and prints various reports and audits.
Touch-screen voting stations are used for in-person voting.
Optical ballot scanners are used for absentee and provisional voting.
Each county election office in the State is equipped with a GEMS computer. This computer is used to define elections and format the ballots for both the touch-screen voting stations and the absentee (paper) ballot scanners. The system also produces files that can be sent directly to a printer to print the absentee and provisional ballots.
When the election definition is complete, the GEMS system produces PCMCIA cards, also called PC memory cards, which are used to program the touch-screen voting stations and the ballot scanners. One card is produced for each voting station and ballot scanner.
While still in the county warehouse the voting stations are arranged by precinct and the PC cards are inserted. In the days just before the election a series of tests called Logic and Accuracy tests are conducted. These tests are designed to confirm that the voting stations have been properly prepared for the election and that they correctly register all votes cast. These tests are open to the public. At the completion of the Logic and Accuracy tests the voting stations are sealed and delivered to the precincts.
On the morning of Election Day the Precinct Manager and Assistant Precinct Manager break the seals and prepare the voting stations for the election. The first step in this process is to print out a 'zero totals tape'. This tape verifies that no votes have been recorded on the voting stations prior to the opening of the polls. As the voters cast their ballots on a touch-screen voting station their choices are recorded on the PC memory card. The absentee ballots and provisional ballots are processed through ballot scanners and their votes are r