One thing that never made much sense was how vehemently the big e-voting manufacturers fought pretty much every single attempt to let outside computer security experts try hacking their machines. They often made excuses about how this wouldn't be fair under "non-real-world conditions," but never explained how it would be bad to at least let these hacks proceed to learn from them and use them to strengthen the overall security of the machines. Thankfully, it looks like voting officials in other countries are a bit more open to this concept. Slashdot points out that Brazil opened up a "challenge" allowing security experts and other hackers to request to take part in a big hack attempt on e-voting equipment. Not only that, but the government is going to give $5,000 to whoever successfully hacks into one of the e-voting systems. This seems like a much smarter way to check the security on these machines than the previous method of very basic gov't oversight and the e-voting firms issuing a big "trust us," answer to every question.
Sequoia Voting Systems had been one of the "big three" e-voting providers, along with Diebold (Premiere) and ES&S. All three companies were notorious for massive amounts of secrecy and many, many, many reports of faulty machines with weak security. Sequoia's biggest problem -- which showed up in election after election after election after election -- was that it seemed to count the votes differently every time. That seems like a rather big flaw. The company also threatened computer security expert Ed Felten after the State of New Jersey asked him to look at Sequoia's code.
Just last week there were reports that Sequoia had accidentally revealed some of its source code -- but this week Sequoia has surprised a lot of people by announcing plans for a new e-voting system which will have open source e-voting software included. The code will be released to the public next month.
This is definitely a big (and surprising) step forward. The Wired link above tries to speculate why -- but I'd argue the most obvious reason (not mentioned in that article) is that Sequoia's two largest competitors, ES&S and Diebold/Premiere merged last month, suddenly making Sequoia a much smaller player in the space (I believe it was already the number three player...). Going open source isn't just a way to improve its code and improve trust in the machines, but also a way to stand out against a much larger competitor.
For years, the big e-voting firms have refused to share their source code, repeatedly insisting all sorts of awful things would happen if the code was revealed. Of course, in the few instances where people actually did get access to the code, the only "awful things" that turned up were pretty massive security holes and weak programming. However, it looks like Sequoia may have inadvertently revealed its source code (found via Slashdot) due to an incompetent attempt to "remove" trade secret info:
The Election Defense Alliance filed a public records request under California law for a copy of the final election databases from recent elections in Riverside County California. Riverside coughed them up, after sending them first to Sequoia for "redaction of trade secrets" and forcing EDA to pay a substantial amount for this "service."
As near as we can tell, instead of stripping out proprietary stuff of any sort, Sequoia simply committed vandalism: they stripped the Microsoft SQL header data off the top, expecting that this would ruin access to the data under any possible database utility and making the contents unreadable. [Note: confirming this is a high-priority task!]
While they succeeded in ruining the files as data, they didn't realize what a Linux user could do with the "strings" command: strip out unreadable characters and leave everything left as readable plain text. This in turn revealed thousands of lines of Microsoft SQL code that appear to control the logical flow of the election.
So now there's a project underway to analyze the code, which can't make Sequoia very happy. But what may be even more interesting is that the folks hosting the code are suggesting that the way Sequoia buried its code in data files may violate federal election law concerning e-voting systems.
It violates the federal rulebook on voting systems on several levels: the rules require that code be hash-checked to prove authenticity in the field for obvious reasons. If the real working code is buried in with the data, no such hash-checks are possible. The federal rulebook is also clear that code can't be interpreted, apparently to avoid modification "in the field" (generally county or city election offices). There is also a rule barring "machine generated code" and since these data files are allegedly created (and managed) by the WinEDS application, the code in these files has to be "machine generated"?
That can't be good. Though it might further explain the resistance to ever sharing the code.
Michael Scott alerts us to the news that e-voting firm ES&S has sued two former employees, claiming copyright infringement over code they took with them from ES&S, along with additional trade secrets. I have no idea whether or not this is true, but all I can ask is "why?" As has been documented time and time again, ES&S's e-voting code has a ton of problems. Remember, these are the machines that have been found to have serious security vulnerabilities, with some serious bugs, such as adding votes to the wrong election, calibration problems that lead to people voting for the wrong candidate, and bugs that resulted in phantom votes. And ES&S is the company that knew about some of these bugs, and let them be used in elections anyway. So if you were going to go off and start your own e-voting company (and it's not clear these individuals did that), wouldn't you be better off starting from scratch?
Ah, Diebold. One of the "big three" e-voting providers out there, its name was the first one that got associated with the problems of e-voting machines, despite problems being found across the board in players in that space. I could never understand why the company continued to fight and deny problems with its machines after so much evidence was presented against them. The smart move would have been to admit that the machines had problems, work with security experts to solve them, and come out with better, safer machines. But that's not what happened. Instead, it stonewalled, denied problems, mocked those who exposed security flaws and kept pushing out questionable machines. Eventually, the stories got so bad, that Diebold realized it was having a seriously negative impact on its other lines of business (including ATMs), so it renamed the e-voting division "Premier Election Solutions" (as if people would forget) and went about trying to sell the thing off -- though, for years it couldn't find any takers.
It took a while, but Diebold has finally found a buyer. ES&S has purchased Diebold's e-voting business for a mere $5 million plus some outstanding revenue. In classic Diebold fashion, the company has announced that it "would not be answering questions about the sale" -- because that's how you go about rebuilding trust.
Meanwhile, it's not like ES&S is any better. It, too, has had massive problems with its e-voting machines, while the company has a history of stonewalling attempts by gov't officials to review their code. Oh, and there's this: company memos showed that the company knew about some of the problems with its voting machines that were used in elections. And the most fun of all? When we questioned why e-voting companies didn't allow independent security researchers to examine machines, an ES&S employee showed up in our comments to call us all idiots.
Now, with the combined ES&S/Diebold/Premier, a ridiculous large percentage of the country's e-voting machines now belong to one company, with an amazingly long family tree of faulty machines and a history of attacking anyone who points out those flaws.
Another election using e-voting machines... and another set of stories concerning massive problems. Slashdot points us to the news that a local election in Rapid City, South Dakota, was about to go to a runoff after no one hit the 50% mark, when someone finally noticed that the 10,488 vote total seemed a bit high. So, they went back and recounted the actual ballots, and discovered only 5,613 people voted, but the software added up the votes incorrectly. Once again, we're left wondering why it's so difficult to do simple arithmetic -- and why e-voting companies like ES&S are so against allowing experts to look at their source code and maybe help catch some of these bugs before they totally screw up an election.
ES&S, of course, has been especially bad when it comes to transparency, despite numerous stories of glitches. It's also the company that had an employee stop by here on Techdirt, call us all "idiots" while insisting that the machines were perfectly fine and that the machines are "extremely scrutinized and very reliable" and anyone questioning their reliability was simply relying on "conspiracy blogs." Of course, his focus was on the idea that the machines were "hacked" -- a charge we never made. Our concern -- and the concern of many others -- are that the machines are unreliable, prone to errors and have serious security and process flaws. Considering how many stories we've seen of problems with those machines in real elections, that seems to be proven fact -- not "conspiracy."
And yet, ES&S has always resisted any real scrutiny. When California looked to investigate e-voting machines more fully, ES&S was the one vendor who held out for months beyond the deadline, before finally submitting its source code along with a threatening letter about how it would personally sue the Secretary of State if any of its trade secrets got out. Of course, soon after this, we found out that even its certified code didn't much matter, since it had given California machines with uncertified code for an election. In the end, not surprisingly, ES&S machines were found to have significant problems, and were decertified in California. Perhaps South Dakota should have taken note.
Reader oxymoron alerts us to the news that Ireland has dumped e-voting machines, concerned both about the costs and the reliability and accuracy of the machines. It still amazes me that anyone is using these machines anywhere given the massive reliability and accuracy problems they've seen throughout the world. So it's great to see countries finally realizing that perhaps democracy is aided by actually having voting systems that people can trust, rather black boxes that make it that much easier for people to distrust.
We've never quite understood why e-voting software shouldn't be required to be public information. For the sake of actually allowing an open and transparent voting system, it's hard to understand how any governing body would allow proprietary software to be used. There's simply no way you can prove that the system is fair and transparent if the counting mechanism is totally hidden away. For years, the big e-voting firms have simply shrugged this off, but it looks like they're at least open to discussing it. A trade group representing the big e-voting firms has put out a whitepaper discussing open source voting systems, where all they really do is show that they don't actually understand much about open source technologies.
First, they claim that, even though they understand that "security through obscurity" isn't effective, "there remains some underlying truths to the idea that software does maintain a level of security through the lack of available public knowledge of the inner workings of a software program." Computer Science professor Dan Wallach does a nice job responding to that claim:
Really? No. Disclosing the source code only results in a complete forfeiture of the software's security if there was never any security there in the first place. If the product is well-engineered, then disclosing the software will cause no additional security problems. If the product is poorly-engineered, then the lack of disclosure only serves the purpose of delaying the inevitable.
What we learned from the California Top-to-Bottom Review and the Ohio EVEREST study was that, indeed, these systems are unquestionably and unconscionably insecure. The authors of those reports (including yours truly) read the source code, which certainly made it easier to identify just how bad these systems were, but it's fallacious to assume that a prospective attacker, lacking the source code and even lacking our reports, is somehow any less able to identify and exploit the flaws. The wide diversity of security flaws exploited on a regular basis in Microsoft Windows completely undercuts the ETC paper's argument. The bad guys who build these attacks have no access to Windows's source code, but they don't need it. With common debugging tools (as well as customized attacking tools), they can tease apart the operation of the compiled, executable binary applications and engineer all sorts of malware.
Voting systems, in this regard, are just like Microsoft Windows. We have to assume, since voting machines are widely dispersed around the country, that attackers will have the opportunity to tear them apart and extract the machine code. Therefore, it's fair to argue that source disclosure, or the lack thereof, has no meaningful impact on the operational security of our electronic voting machines. They're broken. They need to be repaired.
The next oddity, is the claim that if a problem is found in open source software, then it won't get fixed as quickly, because you have to wait for "the community" to fix it. That completely mistakes how open source software works. Again, Wallach points out how silly that is, noting that plenty of commercially-focused companies run open source projects, including maintaining and contributing code to the project. If these companies were to open source their code, there's nothing stopping them from continuing to improve the security of the code. There's no need to wait around... The paper has other problems as well, which Wallach discusses at the link above. To be honest, though, it's quite telling that these firms don't even seem to understand some of the basics of how open source software works.
Back in February, we found it disturbing that Finland was allowing the results of an election to stand, despite the fact that at least 2% of the votes had gone missing due to e-voting glitches. However, it looks like some sense of sanity has been restored as a higher court has now rejected the election results and ordered a new election. One hopes that the new election won't involve similarly screwed up e-voting machines. Speaking of which... in a separate article, we find yet another story of e-voting machines that were "mis-calibrated" in such a way that made it difficult to impossible for people to vote for candidates of their choice. At some point, given all of these problems with e-voting machines, you have to ask why elections officials still rely on them.
While there have been plenty of conspiracy theories over the years concerning e-voting machines, none have been particularly compelling. The evidence looked like plenty of incompetence, with buggy machines that had huge security flaws that could be exploited -- but we hadn't heard of any cases of anyone actually being caught tampering with or trying to tamper with votes. That isn't to say it didn't happen. It's possible that it happened and the perpetrators weren't caught -- but it's a big leap from it "could" happen, to it "did" happen. So, most of our coverage here has been very much on the bugs and the flaws, rather than any of the conspiracy theories that floated around.
However, it appears that a group of Kentucky election officials, the circuit court judge and the county clerk, were arrested for changing votes in various elections between 2002 and 2006 on e-voting machines. The details suggest that there were two parts to the vote changing. First, there was traditional vote buying -- where they paid people to vote in a certain way. However, the second involved actually changing voters' votes on ES&S e-voting machines.
It didn't involve any hacking or direct security flaws -- but the elections officials made use of the confusing user interface and process of the e-voting machines to trick voters into leaving before their votes had been cast. That's because there's a "vote" button, that some people (silly them!) assumed meant they actually voted. Nope. It turns out that just gets you to a page to review your vote and then confirm it. However, these elections officials told people that once they hit vote they had voted -- and were then able to go in and change the actual votes.
It still stuns us that, despite so many problems found with e-voting technologies, that elections officials in the US seem to have no problem continuing to roll them out every election time, it looks like Germany is taking a slightly different perspective. A number of readers have sent in the news that Germany's highest court hasn't just rejected Germany's use of e-voting technologies, but declared their usage in a 2005 election as unconstitutional, due to the unreliable nature of the machines and (more importantly) the fact that the black box nature of the machines made the elections not as transparent as required. That said... it also allowed the results from the election to stand, saying there was no actual evidence of mistakes. Still, perhaps other courts will start to recognize this as well: when you make the details of the election and how the results are counted totally secret, you cannot have a citizenry that believes that the election results were fair or accurate.
Back in December, we pointed to yet another (in a long line) of stories about lost votes on an e-voting machine in an election in California. The machines in question were from Premier Election Solutions, the shiny coat of paint put on the e-voting unit of Diebold, whose name had been tarnished for a long history of defective, highly vulnerable e-voting machines (along with a long history of denying any problems whatsoever with those machines). You would think after all these years of criticism, and a shiny new name, the company would be a bit more careful to make sure its machines weren't actually defective. No such luck.
As Slashdot points out, the Secretary of State's report on the matter clearly places the blame on Diebold's faulty equipment (warning: pdf file). Still, the scariest part is what we noted in the original story about the problems: despite all of the claims to the contrary, the 200 or so lost votes wouldn't have been noticed at all under Diebold/Premier's normal auditing process. It was only because of an experimental "transparency" project set up by local officials that the mistake was noted. Thus, Diebold machines in other regions may have lost votes, and no one will know about it. So can anyone explain why anyone still uses e-voting machines from this company? For years they've lied, stonewalled, denied problems, attacked critics... and produced faulty equipment over and over again. And it's still being used.
In the latest sad saga concerning e-voting mishaps, it appears that Finland's courts have agreed to certify a recent election, despite approximately 2% of the votes not being counted (found via Slashdot). Also, there were additional problems as it's been discovered that despite the requirement for an "anonymous election" the voting software stored identifying information, along with how each voter voted. Oops. Once again, we're left wondering why various governments keep trusting such questionable equipment?
Things just keep getting worse for Diebold's e-voting subsidiary, that was laughably renamed Premier Election Solutions to avoid all of the baggage associated with the Diebold name. It seems that the state of Maryland is suing the company and demanding $8.5 million to cover the money the state had to pay to fix its faulty e-voting machines. You may recall that Maryland has been at the forefront in fighting Diebold/Premier over its machines. Back in 2006, following some rather damning info and significant problems, Maryland's governor wanted to get rid of all of Diebold's machines.
Diebold did its usual thing, responding to different problems, insisting there was no real problem and if there were, that it would all be fixed in time for the election in November of that year. Of course, Diebold didn't actually do much to help -- so the state of Maryland took matters into their own hands to try to fix the flaws in the machines, and now wants Diebold/Premier to pay for the costs of having done so. In rather typical fashion, Diebold/Premier has put out its usual response to pretty much any criticism: claiming it has no clue what anyone is talking about, saying that it is "puzzled by the timing and vagueness" of the lawsuit, while also saying it is: "inaccurate and unfounded." The company also says its about events that occurred "five or more years ago" (apparently, they weren't paying attention in 2006) and that "Maryland just completed one of the smoothest elections in the state's history," though the company fails to note that's more in spite of Diebold/Premier than because of it.
Following last week's revelation of votes lost in California thanks to Premier (better known as Diebold) and its voting equipment, The Register points us to even more votes lost by Premier/Diebold machines in Ohio. Again, it was only because of a special, rare, spot check, which isn't commonly done with these machines, that the lost votes were noticed. And, as usual, Diebold... er... Premier downplayed the discovery:
"We have not seen this particular condition anywhere else in Ohio or anywhere else in the country."
Is it really that difficult for the company to admit that it screwed up? For quite some time now, pretty much every investigation and every more detailed look at any kind of e-voting equipment have turned up similar failures. For the company to brush it off because it hasn't seen "this particular condition" anywhere else is ridiculous. It does make you wonder, though, why anyone would ever buy such equipment and use it in an actual election.
For years and years Diebold Election Systems (now Premier Election Solutions) had always vehemently denied that its e-voting or optical vote scanning machines had any problems -- despite mounds and mounds of evidence of problems. We were shocked, this past summer, when the company finally admitted to a glitch with some of its machines, but the company still downplayed the significance of this, claiming that it didn't believe the glitch (which loses votes) had actually impacted any elections.
Yet, even after this glitch was officially revealed, in the election just last month, we're now finding out that Diebold machines caused 200 lost votes in an election in California. Even worse, no one would even know about this at all if it weren't for a highly ambitious and very unique program set up by some voting activists to ensure there was real transparency. They convinced the local government to let them scan every single ballot and put it online for anyone to view. It was that separate process where they discovered the ballot counts didn't match, and that Diebold seemed to show absolutely no records of the missing ballots, despite having scanned them.
Makes you kinda wonder how many other areas lost votes that absolutely no one knows about because they didn't have such a system in place, huh?
We've often wondered why various governments haven't mandated open source e-voting systems. After all, if a free and democratic election is supposed involve true transparency into the voting process, it's hard to see how proprietary software can be allowed. However, the big e-voting companies have been staunch supporters of keeping their solutions proprietary. Except... it may turn out that Premier Election Solutions (which was better known as Diebold until it changed its name to get away from the mocking laughter) is actually using some open source software... and not abiding by the license. Artifex Software is suing Premier for apparently using its GPL'd software and not adhering to the GPL terms. Of course, we should note that Diebold (er... Premier) has suggested in the past that it might eventually open source its own product, so maybe a little legal nudge will push it over the edge.
Following on our earlier story demonstrating the calibration errors on ES&S e-voting machines in West Virginia, comes this report that notes the calibration controls are not protected and accessible to anyone. In other words, a pollworker or even a voter could modify the calibration to make it more difficult to vote for a particular candidate. While the overall risk may be minimal (voters would still see whether the correct candidate was highlighted), it could significantly impact voters' confidence with the accuracy of these machines and the sanctity of the election. It's still rather amazing how many stories we see on a near daily basis concerning how badly these machines are built.
If someone pitched a movie based on e-voting machines that work as bad as the ones being used in the current election, the story would be dumped as being unrealistic. But truth is, indeed, often stranger than fiction. You may recall on Friday that we had a post about problems with e-voting machines in West Virginia selecting the wrong candidate when voters touched the screen. Various officials rushed to insist that there was absolutely nothing wrong. One, the local county clerk, Jeff Waybright insisted that the problems were "the result of voter error."
Well, it appears that a group called Video The Vote went and visited with Mr. Waybright as he showed them how the e-voting machines work, and perhaps the "human error" is on Mr. Waybright's part. The beginning of the video is troubling enough, as he brushes aside concerns while he shows a miscalibrated machine. He demonstrates how he clicks on one candidate and another is highlighted, in a tone of voice that suggests why would anyone possibly be upset or annoyed if that happened? He then oddly thinks the fact that his wildly miscalibrated machine enhances his point because when he clicks on Barack Obama's name, the actual name highlighted isn't McCain (of course, it's not Obama either, but he doesn't seem troubled by this). Waybright seems to think that the only complaint people are making is the fact that some tried to vote for the Democratic ticket and saw the Republican ticket show up -- when the real concern is simply the fact that when you touch one name, someone else's name is highlighted. Democrat or Republican really isn't the issue here.
However, then things get worse. After mocking the idea that anyone clicking on a Democratic ticket vote would get the Republican ticket vote, he shows how to correctly calibrate the machine, showing how easy it is to fix the "problems" of the miscalibrated machine. When he's done, to prove it works, he touches the box to vote for a straight Republican ticket ticket... and, wouldn't you know it, Ralph Nader's name is highlighted as the voter's choice. His response? "Oh, that's out of calibration!" as if it was no big deal, apparently missing the fact that he had just calibrated the machine. He then seems to think none of this is a big deal, because voters will see the misvote before they submit it, apparently unaware of the idea that many people are already quite distrustful of these machines, and seeing them highlight the wrong name over and over again will make them seriously question the legitimacy of the election.
The GAO had warned that there would be some pretty massive e-voting problems this year, as election officials were not properly trained on the already problematic machines, so it should come as little surprise that over in West Virginia, the "early voting" procedures have resulted in numerous complaints that the e-voting machines selected the wrong candidate. The scenario is depressingly similar to the one that The Simpsonspredicted, where the voter selects one name, and the other one shows up as highlighted. Poll workers told them to just keep clicking until the right one was chosen, and noted that the machines have "just been doing that."
What's more depressing is how everyone involved seems to brush this off as no big deal. Officials claimed that these "were isolated cases and that poll workers fixed the problems so the correct vote was cast." That may be true of the two people that CNN spoke too, but who knows if others got the machines to work properly. And then there's West Virginia's Secretary of State, Betty Ireland , who basically pulled a page from Sequoia's playbook, of covering her eyes and ears and screaming loudly that everything is fine:
"There are no problems with the machines as recalibrated. Touch-screen voting in West Virginia is accurate and secure."
Because you say so? As opposed to those who are actually voting and finding it's not? That's comforting.
In this case, the machines are supplied by ES&S whose machines (like both Sequoia and Diebold) have a relatively long history of screwing up at election time. ES&S is also the company where an employee of the company showed up here to berate us and insist that no independent experts should be allowed to look at the machines and that they were safe and reliable because those working at these firms knew better than the rest of us. It's as if the e-voting companies and the politicians think that if they just keep repeating it, maybe it will become true.
RSS
Twitter
