Slashdot Mirror
California Sues E-Voting Vendor ES&S
Gustoman writes with news that the California Secretary of State has sued ES&S, a vendor of e-voting machines, for selling machines that were modifications of the model that has been certified. Apparently ES&S relocated two circuit boards, rerouted several internal cables, and changed some mounting bracket supports in their AutoMark A100 devices, named the modified version AutoMark A200, and sold 972 of them to five California counties. The changes sound somewhat trivial, but the certification contract specified that no "substitution or modification of the voting systems shall be made with respect to any component of the voting systems... until the secretary of state has been notified in writing and has determined that the proposed change or modification does not impair the accuracy and efficiency of the voting systems sufficient to require a reexamination and approval." The state is seeking a penalty of $10,000 per machine sold, plus the cost of the machines to the counties — almost $15 million in all.
If they are different enough for the company to give them a new model number, they are different enough to need recertification.
I was thinking the same thing. The problem is you can raise the bar high enough that corruption becomes viable for both sides. This case will hopefully make the chuckle-heads behind the voting machines realize that they need to be building bulletproof systems and not barely good-enough consumer goods. Think embedded system rather than an MS Access 'solution.'
a) They didn't think it was that big of a deal.
b) They forgot.
The actual error isn't terribly worrying, but the process failure that led to the breach of their contract, especially for something that could have been complied with quite easily, is not the sort of thing you want to see going on at a company that makes closed source voting machines.
There's no failure quite as dissatisfying as a complete and total solution to the wrong problem.
"There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy."
Do you want your vote counted by people who can't read a contract? We used to have client documentation requirements of two ring binders for some and three ring binders for others. If we did it wrong, we would have lost 10% of the payment for a 20 million dollar machine. You bet the requirements were checked and double checked.
This case also serves as a warning that California will not take any crap from the vendors. It may prevent any further 'mistakes.'
SOME LINES FROM THE ARTICLE...
Does relocating two circuit boards, rerouting several internal cables and changing some mounting bracket supports mean an e-voting device must be recertified to meet state e-voting requirements?
The company also contended that the changes to the AutoMark A100 were so minor that ES&S was not required to submit them for review.
The only changes made to the devices were minor engineering modifications, according to ES&S.
Let me answer the question at the beginning of the article with a resounding YES!!!!!!!!!! YES YES YES! What if the software was written to act differently (cheat) if a bolt was in a certain place, if the color of some paint was different, or if something else was a cetain height? A company can just say "these are just minor changes that has nothing to do with the operation". You see, the contract was written to cover things like this. I am not saying the company had ill-intentions, but if they did violate the contract it's just stupid and - i guess if I can stretch it - a bit suspicious.
Sometimes simple modifications substantially weaken security. The relocated circuit boards could make it easier to swap chips, or make targeted DoS attacks which can easily alter elections easier to effect. It's well know that most election districts have a history of voting for candidates of a certain party. If you knock a bunch of machines offline in just a few of the ones for the opponent, you can cause the lines to be long enough fewer people will vote, and unless it would be a landslide, the election results change. As for how to knock the machines offline? Instead of needing a NERF gun, perhaps the changes allow something as simple as a high power white noise generator with an antenna beneath a person's clothes to do the trick.
I could understand Cal's concern if different IC's were used, or if code was re-flashed. But if the two machines had the same circuit diagram, same components, and code, this penalty seems zealous. I live in California, and it's painful to see bureaucratic zealots nominally on my side, but being far from reasonable. This particular error on the part of the voting machine company appears to be on the level of a failure to file necessary paperwork.
...
The contract didn't say "penalties only if re-flashed", instead it mentions any modifications needs to eb examined and approved. If you signed that contract you must be an idiot to do this substitution. You have to be strict or else you have more "diebolds". Any and all changes must be examined. All penalties assessed would be based on contract law. Paperwork is how a legalist society is run. It's not like jumping through hoops is new to government contractors.
You play the 'D' card. And having an e-voting executive promise to deliver an election to a particular candidate offends me to no end. However the machines in question, machines for the deaf that print out a ballot to be scanned, do not offend me. Diebold's machines, as do most other e-voting systems do. Still, the DA seems overzealous.
A relevant quote from the article:
One condition of that certification, according to her office, was that no "substitution or modification of the voting systems shall be made with respect to any component of the voting systems
So it appears that what it might come down to is the definition of 'component'. Taken too loosely, a change in the Pantone color of the plastic of a button would clear the hurdle. Taken appropriately, well, 'appropriately' will be something for the courts to decide. It might all come down to something like a quote from a hero of mine: "It depends on what the definition of 'is' is."
__ Someday, but not this morning, I'll finally learn to use the preview button.
Really? Where shall we draw the line then?
There is surely enough electronics in these machines that it would be trivial to conceal a circuit that changes its behavior depending on how various circuit boards are physically mounted in a chassis, even when all the connections appear visually equivalent.
Without visibility of the source code, we have no idea what it's doing under normal circumstances, much less when bits inside of it as physically rearranged. Hell, even with full schematics and source code, things could be easily hidden in production units. No matter what we do, we're taking their word for it.
Get rid of the machines.
This is EXACTLY what happened with all those chinese product safety scandals. A safe 'certified' product gets produced in China, someone there decides to change something, and BAM the product turns out to be unsafe.
Certification is meant to be "I seen this product, I tested it, it is safe". If you then CHANGE that product, that means the test is no longer valid.
And yes, that is down to the size of the screws. In this case that would matter a great deal, voting machines are supposed to be tamper proof. Change the screws and it might be a lot easier to open all of a sudden.
If you work with products that are certified, then you must keep the product the same. Those are the rules, it is in the contract.
Really, with the recent stories from China I would think nobody would be stupid enough to think it a good idea when products are changed on the production line.
It don't matter that the changes may not have an impact, HOW ARE WE SUPPOSED TO KNOW.
The deal with this kind of situations is, you produce a product in X form. That is form is tested and gets certified. If you then change it, it has to be retested and recertified because without it that product has suddenly become untested and your word isn't good enough or we would have gone through the first testing and certfication in the first place.
Do you trust voting machine companies? You must be a diebold stockholder.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
The new Republican only software service pack was an upgrade to improve machine performance and simplify the voting process.
It is this simple.
The law REQUIRES Cerification of the Voting Machine to be used/sold. ESS had the A100 certified. They are allowed to sell the A100 in CA
ESS made a newer model the A200 and sold them uncertified to districts.
I don't care what the changes were, You put a sticker on it that wasn't there during certification its uncertified. PERIOD. Finish engineering the damn thing before submitting it for certification.
Let this be a lesson to the makers of these types of machines. ONLY CERTIFIED VOTING MACHINES are legal.
Frankly, I'm disappointed with you guys for your wishy washy interpretation just because we are a bunch of engineers doesn't mean we don't have to take their side when they violate the law. Especially wjen it comes to something so vitally important to our democracy.
I couldn't agree more with this comment from the Sec of State.
"ES&S ignored the law over and over and over again, and it got caught," Bowen said in a statement. "California law is very clear on this issue. I am not going to stand on the sidelines and watch a voting system vendor come into this state, ignore the laws and make millions of dollars from California's taxpayers in the process."
Thank You, that is all.
OSGGFG - Open Source Gamers Guide to Free Games
I see your point, but this is one of the reasons "mil-spec" parts cost so much. You get what you ordered, not what some vendor decided you might like instead. And those small differences add up. Cable locatons affect air flow and thus cooling. A very minor component change, such as a minor network chipset change, can swap network ports. And failing to notify the customer of the change is a very, very bad practice, especially in a sensitive system, because when a technician opens it up and two otherwise identical systems with the same model number don't match, foul play is going to be suspected.
I hate to tell you, but a change in the color of a key could be important. What if that change made the key unreadable to color-blind people? Or reduced the contrast so it was harder for a partially-blind person to read? These details can be important when you're dealing with something like a voting machine. Sure, maybe my scenarios don't seem likely, but they are possible, and thats why the government wants the chance to make the call, not the voting machine company. Notice that (at least the way I read this) the government of California isn't asking to re-certify trivial changes, they're merely asking to be notified of any change (no matter how minor) so that the government of California decides what is trivial, not the vendor.
What if they have some solid state gyros, that act differently based on said boards' positions. Or if that is so complex to accomplish for some idiots, who cannot fill in some papers; What if the PCB is designed in such a way that, when you use a one size bigger than standard nut, it acts as a jumper and changes results...
They had a contract. The supplier failed to follow it. Breach of contract is handled like this, I doubt the contract had anything about "just return it and go elsewhere" in it (also I'm not sure govt spending can be redirected as easily as that, remember that there's the whole lowest bidder thing to go through). Even if, that would cause additional costs for the govt because of the additional work to get another machine made. If a store sells you a product that's not what you told them you want that's fraud, if a supplier sells you something that's not what the contract specified that's breach of contract.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
http://www.news4jax.com/politics/3890292/detail.html "The software is not geared to count more than 32,000 votes in a precinct. So what happens when it gets to 32,000 is the software starts counting backward," said Broward County Mayor Ilene Lieberman. The article says that they'd known about the problem for two years and failed to fix it. http://abcnews.go.com/US/comments?type=story&id=2646802 Randy Wooten figured he'd get at least one vote in his bid for mayor of this town of 80 people even if it was just his own. He didn't. Now he has to decide whether to file a formal protest. http://backslash.slashdot.org/article.pl?sid=06/08/01/191235 The Open Voting Foundation's disclosure that only one switch need be flipped to allow the machine to boot from an unverified external flash drive instead of the built-in, verified EEPROM There has been tons of mishaps with those machines reported on slashdot alone... I certainly don't blame them for throwing the book at them and fining them for all their worth. It certainly sends across the message that the voting system is not to be fucked with and hopefully it can help prevent situations like the above.
bah.
If I was a voting machine vendor, and I wanted to hide a hack, er... miss an accidental bug, in the original hardware, I would just have a ground point that enabled the alternate code. Then the only modification needed would be to leave off an insulating washer. Far less than the modifications done to this machine.
The company obviously doesn't treat elections very seriously and should be smacked down.
An election doesn't just have to work right, it has to be SEEN to be working right - that is PART of the "deliverables". Otherwise people may rightfully get pissed off.
Say in an "old school voting system" you had a company in charge of transporting ballot boxes from the booths to the counting stations, and one of the trucks took a "minor detour" on the way, maybe for the convenience of the company or the employees (take a leak or buy a drink etc).
Sure, nobody might have tampered with the stuff, but the elections get "damaged".
How damaged who knows. The eventual losers could kick up a big fuss. You might piss off millions of voters.
The company obviously doesn't deserve to be in the election system business.
The USA spends so much money in Iraq on "regime change" AKA picking the leaders there, but when it comes to picking the leaders back home - "it's only a minor modification" or we'll let Diebold's rejects who wouldn't be able to make ATM machines build voting machines for us.
For me, it has always been surprising that you americans have all these problems with voting machines. Voting is a simple enough proccess, why would anybody need a machine to do it?
I think it's always better to do it the traditional way, you go there with your ballot and put it on a clear box, after somebody has checked that you are who you say you are, and that you are supposed to vote. Painfully simple, completely fool-proof. It takes a bit more people to do it, but it's just as being in a jury.
I see absolutely no downside about doing it the traditional way. Is there any reason to do it with machines in america, or you do it that way just because it's cooler?
Tis women makes us love, Tis Love that makes us sad, Tis sadness makes us drink, And drinking makes us mad.
government lives and dies by paperwork. Vendors know this, govt employees know this. After all, a speeding ticket is just not following the "paperwork". Or how about Taxes, filing those properly is just some "paperwork" as well.
When the military orders hammers they order an EXACT hammer, down to what color and finish... it's all very important to somebody so the specs have to be followed exactly, even if the hammer is functionally identical, that's not good enough. It's high time that computer and software people get the message and play by the same rules as other vendors when they produce their products. Software makers need to learn how to follow their OWN documentation and provide the exact documented service called for in the contract... when it comes to e-voting even 1 line of code errant is cheating, it would be as important as "just changing" a line item of your taxes because the form "works better" that way.
The FDA and IRS and Military and Casinos and Banks all demand EXACT procedures when lives or money is on the line.... I'd say VOTING is even MORE important that the rules be followed. It's a fundamental shift in how software is expected to be provided and operated that's been LONG overdue. The whole attitude in software that it works "good enough" so release and move on has absolutely no place in the e-voting market any more than in banking or running the space shuttle... a certain large software Making Software firm refuses to be bound by those kind of contracts even when it's the military doesn't mean their underlings can get away with it forever.
The answer to your question is in your post.
It's true that voting is simple process. Rigging a vote, however, is not as simple; and printing ballots does not have as high a profit margin as selling a voting machine.
The reasons for the machines and the reasons for the non-traditional way are: to make more money for friends (and campaign contributors) of politicians and to facilitate getting the desired (and paid for) result from an election.
It has nothing to do with the intelligence or lack thereof in the American voting populace.
But the story gives the rest of the clause:
...until the secretary of state has been notified in writing and has determined that the proposed change or modification does not impair the accuracy and efficiency of the voting systems sufficient to require a reexamination and approval...
So all they had to do was write to the secretary of state, explain that they had just moved a few things around, and wait for confirmation that the secretary agrees that the changes don't require reexamination. That's a pretty standard thing to have to do for any company that makes things for government or military. It doesn't matter if it's the component layout, colour, font on the front panel legends - if it's changed then you notify the changes. It's absolutely amateur and shows a total lack of understanding of the importance of the job they are doing if they don't know this.
I've done a bit of work on mil-spec hardware in the past and even as an engineer intern I was fully aware that every resistor and capacitor on the circuit board was made to a specification and couldn't be changed without notification. If this is how they treat hardware that can be easily inspected and compared with specs, I shudder to think what the underlying software is like.
It sounds a good thing to sell your vote, but you might soon notice that the price of your vote might simply be not losing your job at the first election, not being jailed at the second, and not being killed at the third (and you would have personnaly voted for each of these steps, so it will be perfectly legal).
The US, being an enormous country, has a many levels of government. Unlike many other countries, it runs all elections for all levels of government on a fixed date (some Tuesday in November), rather than spreading them around the year. Of course, not every position is up for election every year, but still this means that the "ballot" contains tens if not hundreds of separate elections, ranging all the way from the US President to the county water board and the town mayor, not to mention multiple "ballot initiative" (direct legislation). Each election (especially president, governor etc) can feature tens of candidates (most of them irrelevant). Printed ballots are thick booklets; both filling them correctly and manually reading them is a non-trivial operation. Also, manually tallying the votes in these hundreds of elections takes a lot of time.
This is not to say that this was not done manually in the past, but certainly using computers greatly simplifies the process. I think the best solution is to use computers to generate the ballot, but only use computer counts provisionally. That is, the voter will step up to a computer and will make selections, after which the computer will print a filled ballot that can be optically scanned. The computer will also tally the votes giving a quick result for most of the races. Nevertheless, the printed ballots should be considered the official votes, the ones to be used if a recount is necessary. In important races (President, Governor) it's probably better to automatically count the printed ballots and only use the computer counts for provisional results. Note that this also allows for people to manaually fill their ballots if they feel like it.
The Americans and many other countries face a difficult choice here. On the one side we have instand reports on the outcome of the voting even before the voting is completely over. On the other side we have the democratic process.
One side is money, the other side is the people.
Darn, which one could be more importand?
Don't fight for your country, if your country does not fight for you.
Why do you need instant reporting though?
The posts being voted on don't change for a few weeks after the elections, so its not as if you need an instant tally.
Votes should NOT be counted until the final polling stations have closed, otherwise the results from one station could affect the results in another. This could be a problem with the USA as it has multiple timezones, but they could just do their exit polls and then count the votes the following day and get the results in a reasonable civilised manner.
Think about it.
In Europe minority votes count for something and you have more than 2 credible parties. That makes rigging an election far less valuable.
In the US just a few thousand votes in a key are brings your party from a lot of control (president) to very little (Democrats in the Senate and House can't get shit done).
With razor thin margins and 49% of the vote counting for nothing it is possible to subtly change the votes and drastically alter the political landscape.
In 2000 Florida was withing 1/100th of 1% (0.01%) and would have made Gore the president. I doubt there is many places in the rest of the world where so few people in such a small area could cause such a dramatic shift. This makes the risk/reward analysis in the US much different than other places with your minority reresentation and 3+ parties.
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
To quote Aladdin in the Disney movie, "You're only in trouble if you get caught". Like most criminals, they don't expect to get caught.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
That is, as long as you're not physically unable to mark a piece of paper by yourself.
For all its faults (and there are many), the Help America Vote Act (HAVA) came about because people who are blind or physically unable to mark a ballot had no way of voting independently and privately. To that end, their civil rights were not being addressed by the individual states, and the resulting legislation forced the states to come into compliance (well, everyone except New York).
Prior to the DRE (Direct Recording Electronic) variants, we did all manner of technology things to try to eliminate the nefarious things that various groups would do to unfairly influence elections. Lever machines, scantron/marksense systems, and so on, were all attempts to get the "personal touch" that was so frequently applied, removed from the process. Lever machines seem to have had the best reputation, but even those were susceptible to tampering, in subtle (and frequently invisible) ways.
Another issue in the US is the complex nature of voting rights. Voting laws and regulations are the province of each state, even when it comes to selecting the Electoral College representation for Presidential elections. For example, KY (where I live) could decide to choose its electors by flipping a coin, and our friends in IN or TN couldn't do a dang thing about it. As long as the states don't do anything that biases the process in favor of one particular group over another (such as male/female, white/non-white, non-disabled/disabled), the feds have no say in the matter.
Lastly, you have the issue of US geography. There are many places in the US that are incredibly rural, where outsiders are simply unwelcome. Smart people, even federal agents, go into the hills of Eastern KY with caution, because they know that going in and throwing their weight around so carries a fair amount of risk. I know a former FBI agent who NEVER traveled into Eastern KY alone for just this reason. I would expect that each state has areas like that, where outside review of voting practices or oversight will not be received gladly. In those areas, the states are always looking for ways to get family/regional influence out of the process, because bipartisan oversight is so incredibly laughable.
Like most issues on Slashdot, this is a lot more complicated than the average person (especially those outside the US, or with little familiarity with the US version of representative democracy) realizes. While I see no reason to cut ES&S any slack on this matter, I can sympathize with the difficulty of navigating the plethora of regulations and laws that such a company is subject to, should they choose to sell to more than one state in the US.
Tim
The November 2006 California Gubernatorial election had seven statewide offices and twelve ballot propositions (Californians can enact laws through ballot propositions). This was just the statewide offices - it doesn't count any local offices, initiatives or municipal boards. And this was a small one. The California Presidential primary election in February, 2008 has seven state-wide propositions, with thirty two more in circulation and thirty two more in the final stages of verification at the Attorney General's office. Most of these won't appear until the November general election (where there are more propositions because, as a rule, more people show up to vote), but it gives you an idea of the number of issues people are asked to vote on.
And that doesn't even cover ballots for the sight-impaired, ballots in multiple languages, provisional voting which doesn't get counted until the voter has been verified and mail-in ballots. This is why we use electronic balloting.
If CA had allowed them to do this, without bringing suit, then the CA gov would be liable if there were ANY problems - real or imaginary, which could somehow, anyhow be traced back to this discrepancy. The State Sec or State is doing the right thing both for the people and for his job security.
A court may find that the damages are too great, who cares... he brought the suit and is now off the hook for anything that may or may not have happened come election time.
A fool throws a stone into a well and a thousand sages can not remove it.
As a U.S. citizen, I'd be happy with more than zero credible parties.
"Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
No. We elect a government and all the other ballots can go some other time. Why not have a presidential ballot that you do first, on paper, and then a machine in the next room for all the less important (ie local ordinances etc) stuff?
Voting machines such as those ESS and Diebold sell are useless for anything but cheating... as this illustrates, you can validate code and approve the circuitry design all you like, BUT YOU DON'T KNOW WHAT IS ACTUALLY IN THE MACHINES AT GO-TIME. They can place cheat chips or upload cheat code, and by the time anyone even has an inkling beyond simple statistical obviousness -- which American media apparently can't understand -- the election is years over and we are told no one cares. Unless of course a Democrat wins; imagine the hell unleashed by FoxNews! if a single voting system may have scooted a Demo into office with some question of the system's honesty. But I digress.
Paper trails are useless in the usual conception as well. A voter votes, and a little piece of paper comes out telling him that he voted thusly. Oh, PLEASE. Unless the paper is a card and can be manually recounted and the totals compared to the computer tally, the paper trail is worthless. Anything can be recorded, and anything can be printed. Now, if instead for security purposes the paper card receipt is kept archivally, then why the HELL have a PC acting as an agent in the first place, and simply count the paper cards? Canada uses a number 2 pencil and paper ballet, and they count the votes manually, with a rep from both or more parties observing the count-- you know, the thing that the Supreme Court here said didn't work. And they finish national elections in hours after the polls close. Faster than we do. Their method scales, you see.
There is no reason to computerize the voting process other than cheating. None. All else is sophistry. We had working systems; they were abused by injecting doubt in Florida in 2000. The recounts work fine if the lawyers and the Supremes stay the hell out of things. None of you may recall, but in 2000, at the same time Florida was being sued and stayed to death and back, two more recounts were happening out in the western states -- manually -- and no one said a thing. Florida was made a carnival by Republicans because they wanted to instill the idea in a fantastically compliant media that recounts didn't work, that chads made things uncountable somehow, that NO RECOUNT WAS NECESSARY by any means possible. It took faked up riots in Dade by republican staffers pretending to be random thugs demanding a shutdown and a crooked Supreme Court majority -- all rightist Republicans, and I include Kennedy as he has shown his new colors since then -- to order the shutdown of the democracy hours before the recount was supposed to end. Never has the US seen a group of election officials and volunteers work so hard and so quickly to beat a crooked shutdown and what was frankly a putsch by the Republican party.
How different the world would be now if Gore had been allowed to win. The worst. Day. Ever. In American history.
Listen: have you looked into this at all? Why is it the problem of some-guy-on-slashdot to bring you up to speed on what ought to be common knowledge at this point? In summary, there have been three different styles of attack in play in US elections (1) denial of the right to vote for people likely to vote against you; (2) shorting key districts of voting machines; (3) falsify the vote itself, via electronic voting machines. Oh, and you might throw in a number (4) manipulation of the government legal system to smear the opposition.
If you're in the mood to look up supporting data on each of those three points, for (1) I might suggest reading Greg Palast on the subject, (2) try reading some Ohio Free Press articles (they're online), also that HBO documentary had some striking footage of the problem (3) I suggest reading Freeman and Bliefuss on the subject (4) Is how Alberto Gonzales got chased out of the Attorney Generals office, it's not exactly obscure.
My apologies for not doing the link farming for you, but I'm getting tired of playing co-dependant with the willfully ignorant.
If you ask me, there's certainly been enough proof of chicanery to justify an investigation into the problem, but that hasn't happened. And there's definitely, shall we say, "cause for concern" about the integrity of American elections. Debra Bowen's election to Secretary of State of California has been one of the few bright spots in recent years.