Category: Electronic Vulnerability

Why we need paper ballots

Tuesday night, poll workers resorted to the old fashioned way of counting by hand.

Paper ballots and hand counting save the day in Mobile election <read>

Tuesday night, poll workers resorted to the old fashioned way of counting by hand.

Election officials said around 5,000 ballots were rejected by the voting machines, and early Wednesday morning officials found the culprit.

They said a tiny white dot that was accidentally printed on the bar code of some of the ballots.

Mobile County Probate Judge Don Davis, “Because of that little error there, the machines rejected these ballots.”

Davis said the ballots are printed by a local company, and this was a simple printing mistake.

Of course you could say this problem was also caused by paper ballots. But the lesson is that whatever the cause, having voter verified paper ballots means that we do not have to rely only on technology. Next time it could be a lose wire or some dust on a circuit in a paperless touch screen.

“Military Grade Security” for elections is a non sequitur

Who should we believe? Vendors selling internet voting or computer scientists and government intelligence experts? We point out that the greatest danger to internet voting is insider manipulation, even easier for a single rogue election official or network insider. No need to steal paper ballots and fill them out. No risk of being caught in an audit or recount of voter verified paper ballots. UPDATE: Videos

Andrew Gumbel, author of Steal This Vote, op-ed in the LA Times: Stealing Oscar – The Academy of Motion Picture Arts and Sciences’ plan to allow voting by computer is an open invitation for cyber attacks and raises the risk of a fraudulent outcome. <read>

The academy said the software developed by the San Diego-based computer voting company Everyone Counts would incorporate “multiple layers of security” and “military-grade encryption techniques” to ensure that nothing untoward or underhanded could occur before PricewaterhouseCoopers, its accountancy firm, captured the votes from the Internet ether.

Unfortunately, leading computer scientists around the world who have looked at Internet voting systems do not share the academy’s confidence. On the contrary, they say the technology is vulnerable to a variety of cyber attacks — no matter how many layers of encryption there are — and risks producing a fraudulent outcome without anyone necessarily realizing it.

Who should we believe? Vendors selling internet voting or computer scientists?

Everyone Counts is certainly savvier than some of the computer voting machine manufacturers who emerged a decade ago. Chief Executive Lori Steele understands that clean elections are about accountability from end to end, not just some miracle machine that does all the work by itself.

She also did not contest the objections voiced by Dill and the other computer scientists. Rather, she argued that, whatever the flaws, carefully encrypted computers are far more reliable than paper ballots, which can potentially be manipulated by a single rogue election official. Everyone Counts puts its machines through a rigorous auditing process, she said, and even interrupted a recent election in Australia to conduct a surprise audit in the middle of the ballot count.

That argument might have been good enough for the academy and for PricewaterhouseCoopers, but it still alarms many software experts. “A surprise audit in the middle is interesting, but I don’t think that’s adequate for the job because there are still multiple ways to defeat it,” Dill said.

We point out that the greatest danger to internet voting is insider manipulation, even easier for a single rogue election official or network insider. No need to steal paper ballots and fill them out. No risk of being caught in an audit or recount of voter verified paper ballots.

Who should we believe? Vendors selling internet voting or computer scientists and government intelligence experts?

See this story from the New York Times: Traveling Light in a Time of Digital Thievery <read>

He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery, for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”

What might have once sounded like the behavior of a paranoid is now standard operating procedure for officials at American government agencies, research groups and companies that do business in China and Russia — like Google, the State Department and the Internet security giant McAfee. Digital espionage in these countries, security experts say, is a real and growing threat — whether in pursuit of confidential government information or corporate trade secrets.

“If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated,” said Joel F. Brenner, formerly the top counterintelligence official in the office of the director of national intelligence…
Targets of hack attacks are reluctant to discuss them and statistics are scarce. Most breaches go unreported, security experts say, because corporate victims fear what disclosure might mean for their stock price, or because those affected never knew they were hacked in the first place. But the scope of the problem is illustrated by an incident at the United States Chamber of Commerce in 2010.

The chamber did not learn that it — and its member organizations — were the victims of a cybertheft that had lasted for months until the Federal Bureau of Investigation told the group that servers in China were stealing information from four of its Asia policy experts, who frequent China. By the time the chamber secured its network, hackers had pilfered at least six weeks worth of e-mails with its member organizations, which include most of the nation’s largest corporations. Later still, the chamber discovered that its office printer and even a thermostat in one of its corporate apartments were still communicating with an Internet address in China…

Last week, James R. Clapper, the director of national intelligence, warned in testimony before the Senate Intelligence Committee about theft of trade secrets by “entities” within China and Russia. And Mike McConnell, a former director of national intelligence, and now a private consultant, said in an interview, “In looking at computer systems of consequence — in government, Congress, at the Department of Defense, aerospace, companies with valuable trade secrets — we’ve not examined one yet that has not been infected by an advanced persistent threat.

Finally we have the case of army private Bradley Manning, where it is alleged that a single low level insider, located overseas, had access to and the ability to steal almost unlimited volumes of confidential documents from multiple federal agencies.

Military grade “security”, a non sequitur if there ever was one!

Update:  Videos:

  • Andrew Gumbel provides the same information and some additional information <video>
  • CEO of Everyone Counts. Little if any information beyond the above story <video>

The Wild West: Presidential Primary “Election” Edition

Selecting candidates for President is less safe and less democratic than most of us realize.

Four years ago there were five public hearings on voting in Connecticut. In reaction to election administration admissions by registrars, Representative Caruso referred to our system in the Nutmeg State as the “Wild West”. It seems that choosing a candidate for President by parties is another version of the Wild West.

The latest demonstrations the weak underbelly of candidate selection are the caucuses in Iowa and Nevada:

Iowa had a very close vote count declaring Romney the victor, followed shortly by news of bad accounting from one meeting which would have Santorum the victor <read>, followed several weeks later with a confirmation of Santorum based on a recount missing records from eight locations. <read>

Earlier many were concerned with a hacker threat to the Iowa caucus <read>  And soon after a candidate’s campaign investigated for vote fraud in Virginia <read>

This week  added concerns with the Nevada caucus:  And a summary of caucus concerns from the AP  and the Washington Times <read> <read>

What else should be of concern, given that parties can pretty much choose their own way selecting a candidate? Internet voting subject to external hacking, insider fraud, and even subject to official override. Consider the risks of the party/non-party Wall Street financed and managed Americans Elect <read>, and the 2008 Democrats Abroad vote <read>

Voting machine investigation leads to serious issues and cover-up

This is serious stuff. The words that come to mind are: Illegal, unacceptable, unconscionable, ridiculous, unconstitutional, and undemocratic.

Brad Friedman articulated the details last week  <read>

Forensic Analysis Finds Venango County, PA, E-Voting System ‘Remotely Accessed’ on ‘Multiple Occasions’ by Unknown Computer

Battle for independent election investigation rages in rural Republican county, pitting renegade Election Board against County Commission, giant E-Vote firm ES&S…

What is wrong in this situation?

  • Illegal software found on vote accumulation machine
  • On several occasions the system was accessed remotely, unauthorized
  • Evidence of an illegal flash drive mounted on the system
  • The log shows out of sequence events
  • The Election Board that should be leading the charge to get to the bottom of the problem is fighting to cover-up the evidence and avoid investigation
  • The vendor, ES&S who should be offering to assist in the investigation is keeping the code secret and suing the investigators to stop, to keep the evidence hidden
  • There is no paper record of the votes such that investigators and citizens can determine if votes or elections were comprised

This is serious stuff. The words that come to mind are: Illegal, unacceptable, unconscionable, ridiculous, unconstitutional, and undemocratic.

Hats off to the citizens of Pennsylvania who fight for voting integrity, the researchers at Carnegie-Mellon, and the interim Election Board.

According to the Initial Report from a landmark independent forensic audit of the Venango County, PA, touch-screen voting system — the same system used in dozens of counties across the state and country — someone used a computer that was not a part of county’s election network to remotely access the central election tabulator computer, illegally, “on multiple occasions.” Despite the disturbing report, as obtained by The BRAD BLOG and posted in full below, we may never get to learn who did it or why, if Venango’s County Commissioners, a local judge, and the nation’s largest e-voting company have their way. And that’s not all we won’t get to find out about.

The battle for election integrity continues in Venango, with the County Commissioners teaming up with e-voting vendor Election Systems & Software, Inc. (ES&S) on one side, and the county’s renegade interim Republican-majority Board of Elections on the other. The Commissioners and ES&S have been working to spike the independent scientific forensic audit of the county’s failed electronic voting machines that was commissioned by the interim Board of Elections. Making matters worse, the Board has now been removed from power by a county judge, a decision they are attempting to appeal as the three-person board and their supporters continue to fight the entrenched establishment for transparency and accountability in the rural Western Pennsylvania county…

Omaha-based ES&S, which had issued no objections prior to the start of the study, but changed its mind quickly after it began (as we detailed in an Exclusive report in late October) has now hardened their position, sending threatening legal letters to both the county and the two computer scientists. The e-voting firm has warned them they are likely to face a lawsuit if they do not agree to complete confidentiality and if results of their analysis are released publicly without their prior review and approval…

There were real, not just theoretical, concerns motivating the investigation in the first place:

As the analysis finally began, Election Integrity advocate Marybeth Kuznik, founder of the non-partisan watchdog organization VotePA.us explained that the Board was calling for the investigation after the county had experienced “numerous reports of vote-flipping, candidates missing from screens, write-ins missing, and high undervote rates in their May 17 Primary.”

While reporting on the Venango Board’s efforts to get their analysis under way during one of our regular fill-in stints as guest host for the nationally syndicated Mike Malloy Show in late October, we received an unexpected call from Adams to offer more details on why his Board had sought the forensic audit.

“It started with an election in 2008 when the machines were basically showing a large number of undervotes,” he explained. “And then there were candidates for positions in the county and they had zero votes, but there was like 250 or 260 undervotes.”

“Wait a minute, there were people who had zero votes on the ballot? Is that normal?” we interrupted to ask.

“No. No, it is not normal,” he responded directly, describing the anomaly as “a red flag.” When pressed to explain why he believed the the County Commissioners and their legal representatives had been working so hard for months to keep the audit from happening, Adams told us bluntly: “They know there’s something wrong.”

This provides one more reason to scrap unverifiable election systems without a voter verifiable paper record in favor of more economical, auditable optical scan technology. But that is not enough!

  • Every state, every ballot should be subject to sufficient post-election audits. But that is not enough!
  • Strong security and chains of custody is needed for ballots.
  • And a total audit of voting systems and election systems should be required: e.g. Do pollbook counts match ballot counts? Are voters given a fair opportunity to vote? Are absentee ballots properly secured and submitted? Is there any evidence of machine tampering or irregularities?

Scanners like ours: Optical scanner counts differ for same ballots

There should be an investigation, however, we suggest that determining the cause is not a complete cure. I could happen again. It could have happened in the past. Maybe in Connecticut.

Brad Friedman reported the story last week <read>

A close race on election night. Rescanned to check but the other candidate won. Then they did a hand count and confirmed the original result. UT like Connecticut is fortunate to have chosen optical scanners with voter completed paper ballots. But we need to verify the accuracy of scanners with audits, recanvasses, and recounts.

The first “recount” of Provo’s Municipal Council District 1 ballots — carried out on the same op-scan systems that tallied them in the first place — was held yesterday, only to be abruptly called off when the results were found to be “extremely in favor of the opposite candidate.”…

“The numbers were varying too much,” Utah County Chief Deputy Clerk/Auditor Scott Hogensen tells the Deseret News about the District 1 race. “It became obvious the machines weren’t counting things correctly.”

But whether the Diebold op-scanners tallied the ballots inaccurately on Election Day or during the so-called “recount” remains unknown at the moment.

According to Deseret News, “Morrow said she asked for the recount to be done by hand in the first place but the request was denied.”…

two hand-counts on Wednesday have now confirmed the accuracy of the original optical-scan count giving the election victory to Gary Winterton after all. The “recount” on the same op-scan systems seem to have been inaccurate, while the original count was accurate. We still don’t know why, of course.

It was not a small, trivial difference, we are talking over 700 votes!

No word yet on why the second scanner might have miscounted. There should be an investigation, however, we suggest that determining the cause is not a complete cure. No matter the cause:

  • It could happen again in Utah or Connecticut
  • Another time it might be the original scanner, not the second one, and/or election day officials making the error
  • It might be far enough off that there is no automatic recount or recanvass
  • It might not be the machine, it might be procedures, yet exonerating the machine does not provide comfort, whatever the cause it can happen again in Utah or Connecticut
  • Perhaps it has happened before – maybe last year in Connecticut one or more of the differences between hand counts and machine counts might not have been human errors as assumed by the Secretary of the State’s office. <read>

We leave with this further item from Brad illustrating the tendency for officials to leap to unfounded, yet assuring conclusions based on assumptions:

Amusingly, and for reasons unknown, [Utah County Chief Deputy Clerk/Auditor Scott] Hogensen told Deseret News that, according to the paper, he “does not believe machine malfunctions affect the outcome of any other races in the county.”

This has happened a couple of times before with other scanners. <one example><another>

Secretary of the State’s Online Voting Symposium

An excellent panel of experts on voting technology and the challenges of overseas voting. Credit is due to the panelists, the Secretary, and those who contributed behind the scenes in making this event possible. John Dankowski, of Connecticut Public Broadcasting did an exemplary job of moderating a very civil, thorough debate. If only typical panels and Legislative hearings could be more like this format, interactive, civil, and informative.

On October 27th, the Secretary of the State, Denise Merrill held an ‘Online Voting Symposium’ at Central Connecticut State University (CCSU) in New Britain. We were there with our amateur video. The Connecticut Television Network (CT-N) was also there. When CT-N videos become available we will also post them here.

Summary

This is was an exceptional panel of experts on voting technology and the challenges of overseas voting. Credit is due to the panelists, the Secretary, and those who contributed behind the scenes in making this event possible. John Dankowski, of Connecticut Public Broadcasting did an exemplary job of moderating a very civil, thorough debate. If only typical panels and Legislative hearings could be more like this format, interactive, civil, and informative.

On a rainy/snowy night with competing demands at the State Capitol, we were pleased that several Legislators attended. In total about eighty people attended with a good mixture of registrars of voters, town clerks, and advocates. We expect many more will watch our videos or the videos and replays on CT-N.

Secretary Tennant of West Virginia, a proponent of online voting, was outnumbered four to one by the other panelists. Dankowski provided her a fair opportunity to respond and challenge the other panelists.

The Panelists

Susan Dzieduszycka-Suinat
President & Co-Founder of Overseas Vote Foundation
The Overseas Vote Foundation is a nonprofit, nonpartisan organization established in 2005 that helps overseas and military voters participate in federal elections by providing public access to interactive web services. 4.75 million individuals visited OVF’s 17 voter services sites in 2008.

Natalie Tennant
West Virginia Secretary of State
In 2010, West Virginia launched a piloted an online voting initiative for military members and overseas citizens for the primary election. Tennant has testified before Congress on the success of the state’s pilot program and her office has recently issued a report detailing the ways in which voters benefitted.

Assistant Professor, University of Michigan
Halderman, a computer science professor, led a team from the University of Michigan to successfully penetrate and manipulate the internet voting system Washington D.C. planned to use for military and overseas voters for the general election in 2010
 
Ron Rivest
Professor, M.I.T.
Rivest is a cryptographer and a member of the Election Assistance Commission’s Technical Guidelines Development Committee.  In 2006 he published his invention of the ThreeBallot voting system, which incorporates the ability for the voter to discern that their vote was counted while still protecting their voter privacy.
 
Alex Shvartsman
Director of UConn Center for Voting Technology Research
The mission of the VoTeR center is to advise state agencies in the use of voting technologies and to investigate voting solutions and voting equipment to develop and recommend safe use procedures for their usage in elections.

Videos (may take a bit to load into post) (click video to go to page allowing larger views)

 

 

My Two Cents
The panel covered most issues surrounding online voting during close to one-hundred minutes. The time flew by, well focused, and engaging. There is always more that could be said, more details, and additional important points which could have been discussed. Here are some additional points that I would like to have seen raised or had more emphasis.
  • Voting challenges and solutions should not be limited to military voters. As a veteran I appreciate the service and the challenges to voting for soldiers. All overseas voters should have effective access to voting. Many face similar challenges, many deserve our thanks, while all should be able to have their votes counted. Consider some examples: Volunteers and NGO staff in Darfur and Hati; Business representatives in China, South America, and Africa; Oil rig workers; Merchant Marine; State Department employees; Military contractors; and Peace Corps volunteers.
  • Insider attacks are easier and more effective than external threats. Like most panels the focus was on outsider attack, yet the risk of a single insider is likely greater. An insider likely needs much less sophisticated means, has more opportunity, and ready means to attack, in less detectable ways.
    • The government believes, a singly Army Private could have accessed and stolen government documents from many agencies. Whether they have the correct suspect or not, they seem quite convinced that it is possible. Many election officials, government technologists, contractors, and vendor employees would have similar opportunities to compromise online voting systems.
    • Ironically, driving home I caught snippets of the rebroadcast of the day’s John Dankowski show, Where We Live. The subject was Art Theft. One of the main contentions was that almost all museum art theft is accomplished by unsophisticated insiders – typically low paid security guards with access, using unsophisticated means.
  • The possibility of error. Online voting systems could have errors which lose votes irretrievably or mis-classify them. Without the paper records votes can be lost or changed, with or without detection, yet without recourse.
  • The confusion of the possibility of  a ‘secure’ government network, with reality and what is on the table. Panelists discussed the possiblity of a non-public Intenet, a highly secure, government network for online voting, using highly secure computers and servers as well. Even though a perfect system is impossible, such a network would be much safer than systems using individual’s computers, the public Internet, or a regular government Internet – many of us might agree such a system was ‘good enough’.  Yet we should not confuse that possibility with what was actually the subject of the symposium, what is being actually proposed around the country, or what is reasonable:
    • Neither the Federal Government, Connecticut, or any state is actually seriously considering such a system. For starters it would be hugely expensive, require agreement to let the military handle all such voting for every jurisdiction, along with huge investments and operating expense on the part of the Federal Government and each election jurisdiction.
    • It would likely have to be a huge network with a huge number of locations and secure computers, separate from other Military networks, especially if it were used to serve all overseas voters.
    • Remember that anecdotal extreme cases of voting challenges include front line troops in Afghanistan, relief workers in the most challenging conditions, Peace Corps volunteers in remote villages etc. It is hard to imagine a secure, expensive, network reaching in all such environments. We cannot lose sight of realistic means to solve the real challenge we started out to address.
Other Coverage
The Hartford Courant <read>
New Britain Herald <read>
Connecticut Network (CT-N) <video>
Waterbury Republican and Senator Kane <read>

UConn Report: Batteries and officials failing faster than previously reported

  Most projects start out slowly, and then sort of taper off.
    – Augustine’s Law #XL

Most projects start out slowly, and then sort of taper off. – Augustine’s Law #XL

Last week, the University of Connecticut (UConn) released a report on memory card testing covering 2007 – 2010. The results from 2007 until pre-election testing for August 2010 had been previously published, we expected to see the 2010 results much sooner. <report>

From the Conclusion, our comments in brackets [ ]:

Correctness of Card Programming: The audits determined that 100% of the cards actually used in the election [and actually submitted to UConn for testing] showed correct programming in terms of both the election description data and the executable code on the cards. In the case of the pre-election cards, in all cases where small discrepancies in the election description data were discovered, these differences were due to the very late changes, such as candidate name changes, substitutions, and race changes.

Audit Coverage: The number of memory cards submitted for audits fell substantially in 2010. We understand that in some cases districts were advised to not submit cards for audit in an apparent effort to occlude the fact that memory cards were duplicated. It is recommended that the SOTS Office encourages the districts to always submit one out four cards for pre-election audit and all of their used cards for post-election audit. The number of cards examined by the audits needs to be substantially increased in future elections to provide a better statistical basis for the overall election landscape in Connecticut. Not only this will help ensure proper programming of the cards, but it will also help address the reliability problem of the memory cards…

This dramatic drop in card submission renders most of the other statistics in the report unreliable and questionable. As UConn states, officials may be avoiding sending in duplicated cards; they could be choosing to send in more “junk data” cards as they are useless in the election; or avoiding sending in “junk data” cards assuming. incorrectly, it would reflect badly on them . Without public drawings we have no indication that cards are selected randomly, or that officials actually understand that they should be. Without accurate data it is hardly worth reviewing and making decisions based on the statistical analysis of the partial data.

Memory cards submitted by officials to UConn (Out of about 800 districts and 3500 cards)

As we have noted in the past, because the cards are not actually and publicly randomly selected, in addition to making it impossible for the reported results to be statistically accurate, it also provids an easy loophole for errors and skulduggery to be covered-up.

An earlier UConn report indicated that the problem was old batteries and that replacing batteries regularly might solve the “junk data” problem. Apparently this is not always so, with some cards quickly draining the batteries:

Continuing with the Conclusions:

This data loss is most likely caused by the weak batteries on the cards (however, as of this writing it is not clear how long a fresh battery lasts in a memory card). We are continuing to examine this issue. Increasing audit coverage will enable us to obtain and evaluate more cards that failed in search for a solution. In particular, we know that some cards drain batteries much faster than most; when we identify such cards it is recommended that they are removed from circulation. Longer term solution may be to develop replacement cards that use non-volatile memory technology…

Memory Card Duplication: In recent elections more then 6% of the cards [selected and submitted by officials] were involved in duplication. We note that the only authorized entity to provide card programming for election in Connecticut is LHS Associates. There is no guarantee that cards duplication done by the districts correctly reproduces data and programming on the copy cards. Additionally, if duplicated cards are not submitted for audits it increases the risk of using incorrect cards in elections. It is recommended that the SOTS Office reinforces its policy that prohibits card duplication…

Adherence to Election Procedures: The technological audits established that the districts do not always adhere to the established pre-election procedures. Most notably, in recent elections over 6% of the memory cards are duplicated by the districts, a practice that is not permitted by the SOTS Office. Additionally, some districts do not prepare all of their cards for elections and/or prepare for elections by running elections instead of running test elections. It is recommended that the SOTS Office reiterates the importance of following the prescribed election procedures. Lastly, some districts send cards for pre-election audit before they test the cards, while other districts send cards after they test the cards. For the pre-election audit to be most effective, it is recommended that districts uniformly send cards after the cards are tested and prepared for elections.

Overall, we applaud the report and the work of the UConn Voter Center. We are disappointed in the data submitted by election officials and the lack of progress in effectively addressing memory card problems. We are sympathetic to officials for the problems bad memory cards cause, yet our sympathy ends when they do not play their part in providing cards needed for UConn to make detailed and accurate assessments. We note that the lack of cooperation happened in the Bysiewicz Administration. We hope that the Merrill Administration will elicit more cooperation and encourage production of more timely reports for both memory cards and post-election audits.

For memory card testing to be useful and reach the potential of the exemplary testing developed by UConn, the program needs to be well defined and mandatory, enforceable, and enforced. The program should be mandated by law and/or all memory cards required to be sent through UConn in both directions from and to registrars, never to and from LHS, the vendor responsible for programming the cards. Or as we have recommended, the cards should be programmed in Connecticut, co-located with an independent testing function using the UConn developed test.

Voting more vulnerable than ATM’s – That’s not saying much

No reason to say “It can’t happen here”.

If voting machines are attacked, especially if it is switching votes, how would we know? At least with ATM’s there is money missing. Story from Hartford Courant today sounds technically similar to the recent demonstration of stealing votes by inserting hardware into a voting machine. Although the banking application often needs a camera and uses wireless communication – stuff not necessary in skimming votes. Sadly neither are really news, not technically challenging, it is simple to understand:

Thieves Make Withdrawals In Istanbul After Grabbing Debit Card Information in New England <read>

The customers — about 150, according to Webster — were victims of a “skimming” scheme in New England perpetrated by an international fraud ring. The thieves used an electronic device to read data off magnetic strips of debit cards inserted in some ATMs operated by Webster Bank and at least two other banks. A small camera recorded customers punching in their PINs…

Typically, the skimmers fit right over the slot where the card is inserted, looking very much like part of the ATM. The camera can be hidden in a brochure holder or concealed behind a mirror that looks like the security camera. The devices are readily available on the Internet, some for as little as a “few hundred dollars.

No reason to say “It can’t happen here”. But at least we have voter verified paper ballots to audit, recanvass, and recount!

Where Common Sense fails: Do insider attacks require a sophisticated conspiracy?

In this post, we address where Common Sense fails. Where what seems obvious to individuals and election officials is often counter to the facts or science. Those that are unfamiliar with technology and a specific area of science often overestimate how difficult or easy specific things are to accomplish.

Note: This is the fifth post in an occasional series on Common Sense Election Integrity, summarizing, updating, and expanding on many previous posts covering election integrity, focused on Connecticut. <previous> <next>

We frequently hear versions of the following comments, often from election officials:

“It would take a very sophisticated operation to steal an election. Computer experts with access to the election system.”

“Our staff is trusted and they don’t have that level of expertise.”

“You are a conspiracy theorist, you just don’t trust election officials, and the security of our voting machines”

To some of these charges I plead guilty and with others items beg to disagree:

  • I do believe in the existence and possibilities of fraud by conspiracy, yet in the case of election integrity argue that compromising an election does not require the existence of a conspiracy of the sort implied by the current definition of conspiracy theory. In fact, individuals have been convicted or exposed for small to moderate size conspiracies.
  • I do trust most election officials. The problem is that many election officials express and request blind trust of all election officials. This despite regular instances of errors by officials, and occasional successful prosecution of various election officials for criminal violations. Unless election officials are cut from a different class than other citizens and public officials, some of the time, some of them will make errors, and others will comitt fraud, sometimes without prosecution, and sometimes undetected.
  • It does not require a sophisticated operation to steal an election. Fraud would not necessarily require computer experts with access to the election system.

In this post, we address where Common Sense fails. Where what seems obvious to individuals and election officials is often counter to the facts or science. Here we have to be careful trusting our own initial views and those of honest officials, we need to be open to the idea that we may not individually have all the answers -willing to listen to, if not completely trust, scientists and the facts. (We are not just talking about elections here, but many other areas which are critical to democracy and life.)

Those that are unfamiliar with technology and a specific area of science often overestimate how difficult or easy specific things are to accomplish. As we often confuse conspiracy and conspiracy theory, we often confuse the meanings of theory, between the common meaning of theory and a scientific theory. They are as different as a Pat Robertson theory of earthquakes and the germ theory of disease.

For instance, people often think technologists can do anything such as solve the nuclear waste problem, cure all cancer, make smoking safe, produce clean coal, or provide safe internet voting. These are all hard problems that have, so far, eluded teams of the best scientists. I frequently recall a friend in middle school, in the late 1950’s, who had no concerns with smoking, saying “By the time I get lung cancer in 30 or 40 years, science will have a cure”.

Once even “scientists” believed with the right recipe sea water could be turned into gold. In the dark ages of the 1950’s it was believed it would be possible to predict the weather and the economy, if only we had enough data and the right programs. Since then, with the advent of Chaos Theory, we have learned both are impossible, yet that fact has provided us the opportunity to deal with the economy and weather more rationally and realistically. Since the 30’s or 40’s we have also known that it is impossible to prove that any computer software/hardware system is accurate and safe – there is no recipe possible. (And thus it is also impossible to build a computer or communications system that is provably safe. In practice, we can see from failed attempts of government and industry that the best systems are, in fact, regularly compromised, providing practical as well as theoretical reasons to avoid trusting any computer/communications system.)

On the other side, many things are much easier than the public and many elections officials believe. Smart individuals and small groups continue to create computer viruses and hack into the best systems of the most sophisticated government agencies and industries. On the easy side, the U.S. Government believes, apparently with good reason, that a single Army Private could access and steal a huge number of confidential documents from many Federal agencies. (That he was a low level insider with lots of access, just emphasizes how vulnerable systems are to a single insider and that it would take steps in addition to a safe computer system, even if that were possible, to protect us from an insider.)

How often have we each gone to an expert with what we viewed as a tough problem, only to have it solved quickly and inexpensively? For example: Recently, my condominium unit needed a new main shut-0ff valve. The maintenance staff and I believed it would be a big job requiring service interruption to dozens in my neighborhood requiring a shut-off of a valve in the street. Enlisting the help of a general plumbing contractor, the contractor simply froze my pipe while installing a new valve.

When it comes to election machine hacking, online voting, and conventional stealing of votes it is relatively easy in many jurisdictions to compromise the vote, especially when it only requires a single insider. Some attacks take extensive technical knowledge which many hackers possess and could help or intimidate a single insider to execute or could simply get a job in election administration. Other attacks take very little technical expertise. When officials misjudge how easy it is for attacks to be accomplished, when officials don’t understand technology, it makes it all the easier for a single trusted insider.

One company, LHS, programs all the election memory cards for Connecticut and other states. LHS’s President said that we are safe from hacked cards because he has no employees with software expertise (including himself). There are several fallacies in this:
— How would he know if a particular employee has technical expertise?
— It is not all that hard to miss-program memory cards.
— A single employee could gain outside technical help or be intimidated to do what an outsider demands.

Similarly, many election officials would claim we are safe because they do not have computer experts on their staff. Once again, how would they know how much it would take and what a person does not know?

As for outsider attacks, one example: To our knowledge, in only one instance, a Internet voting system was subjected to a open, public security test. It was compromised extensively and quickly. Even if it had not been compromised so easily or was subjected to a more extensive test it would hardly be proven safe, hardly be safe from attack by insiders.

In our view, the best we can do realistically is voter created paper ballots, counted in public by machine, a printout of results in public, followed by a secure ballot chain of custody, followed by effective independent post-election audits, and where necessary complete recounts.  All transparent.

Finally, we need to emphasize the requirement for a “secure ballot chain-of-custody” or at least a reasonably secure system making it difficult for single insiders to compromise ballots. For those with blind trust in security seals we provide presentations by an expert <view> and examples of quick  seal compromise by that same expert and an amateur <read>

Caltech/MIT: Election Integrity – Past, Present & Future

On Saturday October 1st, I was pleased to be a part of the The Future panel at the Caltech/MIT Voting Technology Project event, Election Integrity – Past, Present & Future. The event was to celebrate the 25th anniversary of a conference on voting integrity held in 1986.

On Saturday October 1st, I was pleased to be a part of the The Future panel at the Caltech/MIT Voting Technology Project event, Election Integrity – Past, Present & Future. The event was to celebrate the 25th anniversary of a conference on voting integrity held in 1986. Perhaps I was invited to join the Future panel because I have only been involved for a bit over seven of those twenty-five years.  Like most panelists on all three panels , I addressed a bit of the Past, Present and Future.

My presentation was titled: A Watchdog Activist Lobbyist Plods and Plots the Future of Election Integrity <PowerPoint.pdf>

Once a video of the event and other presentations are available, I will provide links.

Update 10/30/2011 Videos available <watch>