This report of irregularities in the May 16 Pennsylvania Primary Election was prepared for VotePA. It is available for download in PDF format here. The images referred in the report can be viewed in the PDF document.
On May 16th, 2006, Allegheny County voters encountered a new polling-place environment. The gear-and-lever machines which we were familiar with after decades of use were retired due to a federal mandate resulting from the federal Help America Vote Act (HAVA). HAVA's goals include increasing the accessibility of the voting process to all voters and providing increased assurance of voting-system accuracy and reliability. VotePA is a statewide volunteer organization advocating secure, accessible, and recountable voting for all Pennsylvanians. Less than two months before the primary election, the Allegheny County Board of Elections selected the ES&S iVotronic electronic voting machine, which provides no mechanism, such as a printed paper ballot, for voters to personally verify that the machine accurately records their votes. This report documents irregularities occurring during the May 16th primary which cast serious doubt on the integrity of the voting process.
Overview of Findings
Serious procedural, operational, and design issues call into question the results from iVotronic voting machines used in Allegheny County in the May 16th primary election. It appears that two different models of the ES&S iVotronic machine were used, one of which was not legally certified. Poll-worker statements and post-election analysis of voting-machine printouts from the election reveal that electronic voting machines ran program code not legally certified for use in Pennsylvania. Other print-outs demonstrate operational problems at many polling places and serious problems with the integrity of the iVotronic “zero-print” function, which is supposed to assure the public that electronic “ballot-box stuffing” does not occur.
The Vote-Trust Two-Step
Allegheny County voters have been asked to accept the new voting machines based on a two-step line of argument.
1. First, a small number of voting-machine experts, chosen by the voting-machine manufacturers and the Secretary of the Commonwealth, who are given privileged access to the internals of the machines, have examined them and declared them to be accurate and secure.
2. Second, the Elections Division of the Allegheny County Department of Administrative Services will ensure that all voting machine systems (hardware, software, and documentation) deployed in Allegheny County elections will be exactly what was examined and certified by the federally-accredited Independent Testing Authority and the Secretary of the Commonwealth. Voter trust logically requires that both premises are true. However, there are solid reasons to
doubt that either one is valid.
1. Approximately one week before our primary election, an extremely serious security flaw was found in the Diebold electronic voting machines used in some Pennsylvania counties. Security expert Avi Rubin of Johns Hopkins University was quoted by Newsweek as saying, “If Diebold had set out to build a system as insecure as they possibly could, this would be it.” This vulnerability was discovered by an independent researcher after the machine had already
completed the federal certification process and received state-level certification in several states, including Pennsylvania. This incident supports the opinion of many computer scientists that the certification process inherently cannot detect all security vulnerabilities – or all program flaws leading to incorrect vote totals.
Also, electronic voting machines represent a dramatic increase in complexity, and decrease in transparency, compared to older voting systems. In Allegheny County, machines containing thousands of gears visible to the naked eye have been replaced with ones containing millions of invisible transistors. It is correspondingly less feasible for examination of a machine to reveal its exact behavior or any post-deployment tampering.
2. As documented in our findings below, and in court testimony from a County election official, the County currently does not have an adequate process for ensuring the provenance of software deployed on our voting machines.
The implication for voters is that, while our voting machines may be secure and accurate, there is no strong line of reasoning supporting that laudable goal. In short, each vote cast on iVotronic machines in the primary election was to some extent a leap of faith. If that faith was misplaced, voters may have been disenfranchised.
Two varieties of iVotronic were present in most or all polling places in the primary. One machine type is referred to by ES&S as “the ADA model” (presumably referring to the federal Americans With Disabilities act) which has “ADA scroll buttons” and received state certification based upon the examination report prepared by Dr. Michael Shamos. The other model is not the “ADA Model” as specified by Dr. Shamos in his certification report, as it lacks the “ADA
scroll buttons.” Because these two machines obviously differ in function, and differ in their physical form, it is difficult to come to the conclusion that the non-ADA machine was examined and found fit for use in Pennsylvania. While there may be no differences between the machines in terms of their ability to record and count votes, it is also possible that there are. It is possible that approximately half of the votes cast in the primary were on machines not legal for voting in this state.
Electronic voting machines are computers running programs which can contain accidental or potentially malicious errors. Because the ES&S iVotronic voting machines used in Allegheny County provide no way for voters to personally verify that their votes have been correctly and accurately recorded, voters must trust the iVotronic program code to be correct. The inspection and certification process carried out by the Secretary of the Commonwealth is meaningless unless the County ensures the machines run exactly the programs the Secretary certifies. VotePA has learned that uncertified software, of potentially unknown behavior, was run in the May 16th primary election.
Two independent bodies of program code are relevant here. Some software runs on each iVotronic touch-screen voting terminal, and additional embedded software (called “firmware”) is present on the hand-held “Personal Electronic Ballot” (PEB) modules used to activate the voting terminals, combine votes from the two machines at each polling place, and return polling-place vote totals to regional reporting centers after polls close.
Reports from several election workers strongly suggest that the ADA and non-ADA iVotronic terminals were running different software. In particular, one author of this report, a Judge of Elections, observed the two machines presenting a different sequence of screen images as part of the process of arming the machine for each voter. While this difference could be due to software configuration settings as opposed to the program code itself, it is also very plausible that the behavioral difference is due to two different software programs existing on the two terminals. Since the Secretary of the Commonwealth certified one software version, any other version would presumably be uncertified – either unexamined, or examined but found wanting.
The case is stronger that PEBs running uncertified software were used. Figure 1 displays excerpts from the final-print tapes produced by machines in the 35th and 40th districts of the 14th ward of Pittsburgh. The lines indicated by the arrows show that the 14-35 PEB is running certified software but that the 14-40 PEB is not. As above, it is possible that the 1.05 PEB firmware correctly records, stores, and tallies votes. But it is also possible that it contains errors or features which are not compatible with Pennsylvania election regulations.
In order to prevent voting-machine “ballot-box stuffing,” Pennsylvania election procedures require that a zero-count printout is posted for public inspection before voting begins. The zero print displays the number of votes recorded for each candidate in each race, and these vote counts should all be zero. The intent of the zero print is to assure citizens that machines were not “stuffed” with votes before the election. VotePA has discovered numerous operational problems and apparent design issues with the iVotronic zero-print process.
Poll-worker reports and examinations of zero prints from many polling places show that zero prints were printed long after polls were opened and votes were cast on the machines. This means that many voters were forced to cast votes despite the danger that vote totals were manipulated. County technicians reportedly invoked special administrative functions throughout the election day to produce printouts claiming zero votes had been cast before
voting began. Figure 2 shows detail views of the zero-print from the 10th district of the 4th ward of Pittsburgh indicating that the machines opened late and the zero-print was produced after a further delay. We encountered zero-print tapes with timestamps indicating a variety of morning and afternoon printing times.
While these “time-travel” printouts are a feature explicitly designed and documented by the manufacturer, there is a clear difference between a printout of a machine's current contents and a printout of what a machine says now that it contained before. Voters must decide for themselves whether “time-travel” zero prints offer an acceptable level of anti-stuffing assurance.
Some zero prints flatly fail to provide the required level of documentation of machine vote tallies. VotePA has discovered situations where vote totals were reported for only one machine in a polling place – or even none. Figure 3 excerpts the zero-print tape from the 19th district of the 4th ward of Pittsburgh. While the main body of the tape faithfully reports zero votes cast for each candidate, these totals are apparently derived from the examination of no
machines, rather than the two machines issued to the polling place. Figure 4 excerpts a zero-print tape structurally invalid in a different way. Rather than being a “Polling Place Zero Tape” it is instead a “Terminal Zero Tape”. This discrepancy may well indicate that a roving voting-machine technician inadvertently selected the wrong function from the internal machine-administration menu. In any case, once again voters presumably were not provided with the
required protection against vote-stuffing. VotePA encountered other instances of irregular zero prints in our post-election review, including partial tapes where vote totals were missing for some races. Overall, it does not appear that the iVotronic zero-print mechanisms provide an adequate level of reliability.
Since zero prints and final prints contain timestamp data for the activation and de-activation of voting terminals, we determined as a side effect of our review process that many machines were activated well after the 7:00 a.m. poll-opening time. Anecdotal reports suggest that in some cases voters were forced to wait, or turned away, instead of being offered the opportunity to vote immediately with optical-scan paper ballots.
Based on the contents of this report, which we believe demonstrate obstacles to voter confidence in the voting-machine process, we recommend that the County immediately take the following actions.
1. Implement a chain-of-custody process for ensuring that all voting equipment runs only software certified at the federal and state levels.
2. Require ES&S to repair the zero-print process. In particular, it should not be possible for the machines to print part of a tape while the printer is disconnected and it should not be possible to activate the machines until the zero-print process has completed without errors. Version numbers displayed on zero and final prints must be complete, listing the software version in use by every iVotronic terminal and every PEB deployed to a polling place, and precise (a PEB
running firmware 1.07c should not be listed as “1.07” on a printout). Of course, any software incorporating these changes must be properly certified before deployment.
3. Establish a program and schedule for achieving voter verifiability in the voting process, whether this requires upgrading or replacing the existing machines. This is necessary due to the observed failures of both premises of the paperless-machine trust argument and, based on voter comments, would increase voter confidence in the system. At least one voting-machine system providing voter verifiability has already been certified for use in Pennsylvania, so any continued operation of non-voter-verifiable systems represents an explicit choice by the County which VotePA opposes.
4. Generally establish a “culture of assurance,” including the establishment of a citizen advisory council to address voting-system concerns, the inclusion of a local panel of experts in the program-code certification process, a program of routine post-election audits (including post-election code comparisons), and the passing of county-level ordinances penalizing the provision or operation of uncertified voting-machine systems.
A mixture of uncertified software, uncertified hardware, and dubious or meaningless zero prints casts serious doubts on election integrity. Though our post-election review did not reveal “smoking gun” evidence of vote tampering or lost votes, we are left with no real assurance that they didn't happen, either. In the words of Carl Sagan, “absence of evidence is not evidence of absence.” We view this uncertainty as unacceptable and call on the County to address it
About the Images
The images in this document are scans of photocopies of actual iVotronic printouts from the May 16th primary election in Allegheny County. Because the iVotronic prints on a long, narrow strip of paper, it was necessary to manually copy short pieces of the tape, which were digitally combined into long images. Specific parts of images were digitally enlarged for visibility.
Though election-day documents are matters of public record, signatures of poll workers were redacted in this report to reduce the likelihood of identity theft.
Comment on This Article
You must login to leave comments...
Other Visitors Comments
You must login to see comments...