Tuesday, December 18, 2007


First California, now Ohio

California audited computer voting machines last summer, and gave all of the audited machines failing grades. The result of that was that California’s Secretary of State decertified all of them.

Now, Ohio has done a similar audit, with similar results:

All five voting systems used in Ohio, a state whose electoral votes narrowly swung two elections toward President Bush, have critical flaws that could undermine the integrity of the 2008 general election, a report commissioned by the state’s top elections official has found.

“It was worse than I anticipated,” the official, Secretary of State Jennifer Brunner, said of the report. “I had hoped that perhaps one system would test superior to the others.”

At polling stations, teams working on the study were able to pick locks to access memory cards and use hand-held devices to plug false vote counts into machines. At boards of election, they were able to introduce malignant software into servers.

Ms. Brunner proposed replacing all of the state’s voting machines, including the touch-screen ones used in more than 50 of Ohio’s 88 counties. She wants all counties to use optical scan machines that read and electronically record paper ballots that are filled in manually by voters.

We should name names, here:

The study released Friday found that voting machines and central servers made by Elections Systems and Software; Premier Election Solutions, formerly Diebold; and Hart InterCivic; were easily corrupted.

The companies, of course, say that the audits don’t matter, and they stand by their machines. That’s no surprise. In their own defense, they often say things like this:

“It is important to note,” he said, “that there has not been a single documented case of a successful attack against an electronic voting system, in Ohio or anywhere in the United States.”
In other words, no one’s been caught, so it’s OK.

Because that’s a key point here: one of the flaws is that corruption of the machines is, in many cases, hard to detect. We might have a nice, friendly community somewhere, where we could just put a box in the middle of the town green and set up the voting on the honour system... but no one would think that a wise thing. And in a real sense, that’s what we’re doing with these machines.

The solution, though, is not to have the companies go off and re-design their machines as they’ve designed them in the past — we’d just have to do another audit, at more expense, and I have no doubt that we’d find more problems. We can’t keep iterating this process.

The solution is to put it into an open design process, where security experts — the sorts of people who are auditing the machines now — participate in the design, and oversee things. And have the whole process audited at every stage.


Maggie said...

Thanks for posting that, Barry. Paperless systems scare the crap out of me. The advantage, when they work, is that they are accessible to disabled people.

Paul said...

I've said it before, and I'll say it again. The problem you have is the size and complexity of your ballot. If the only thing on your ballot was which candidate to vote for for president, computerized voting machines would not be necessary, and you would get a higher voter turnout. The election of the most powerful man in the entire world is too important to be jeopardized by the need to elect a dog catcher in Aurora, Illinois, or decide on library funding in Waldport, Oregon. Those issues should be decided in other state and municipal elections at different times.

scouter573 said...

I think they company representative is right. No one's been caught, so there can't have been any security breaks. There was nothing wrong at Enron, either, until someone started that audit thing. It was a bad move to look - things were going so well. Kind of like Schroedinger's cat, yes? It's not a problem as long you're not looking. The cat is still alive until you open the box. Is that what they mean when they talk about security by obscurity?

Sarcasm aside, developing new electronic solutions seem bound for disaster, even using an open process. It's hard to get software right, much less reliable and secure. My current favorite solution is a paper-based mechanism using a simple format. Something odd? Just count them again. In WA, we vote by mail (officially an absentee ballot), and we receive a fill-in-the-circle ballot printed on stiff paper (not quite a manila folder, but more than just bond). Works for me, although I do wonder about the safety of clearly marked envelopes in the mail.