A Houston Chronicle article last week described how, following the November 6 election, Harris County election administrator Johnnie German “used high-security codes to tap into the Harris County elections computer system last week and change some of the results manually.” It seems that the Hart Intercivic voting system used in Harris County allows anyone with access and a passcode to modify vote totals from an election without leaving any record of the modification.
But it gets worse. According to Dan Wallach of Rice University's Computer Security Lab (pictured at left), who served on the task force that recently studied the Hart system as part of the California Secretary of State’s electronic voting system review, the "encryption key" code can be extracted from voting equipment at any precinct.
The necessity for modifying the vote totals in Harris County was the result of confusion during early voting caused by split precincts resulted in 293 voters in Emergency Services District No. 9 being given the wrong ballot and therefore being unable to express an opinion on a sales tax referendum for a fire/ambulance district in the Cypress-Fairbanks area of the county since it didn't appear on their screens.
Computer expert John R. Behrman, who observed the vote adjustments, said he was “shocked” when he saw German use a series of passwords and an "encryption key" -- a series of numbers on a nail file-size computer memory storage device -- to reach a computer program that said "Adjustment." Shocking indeed.
"A hundred percent of precincts reporting, and everything had been distributed to the press," he said. "Then and only then did I see how they were going to do this, and frankly I never thought it was possible.
"Basically it turns out, without regard to any ballots that have been cast, you can enter arbitrary numbers in there and report them out in such a way that, unless you go back to these giant (computer) logs and interpret the logs, you wouldn't know it has been done."
It is reasonable that an electronic voting system should provide administrators with procedures with which to make such corrections - if such procedures are secure and accountable. However it seems that the Hart “Adjust” feature fails to provide adequate security or even follow fundamental accounting principles.
With reference to the section of the California team’s report on their review of Hart’s source code that describes the "vote adjustment" feature, Professor Wallach explained in an email posted on Charles Kuffner’s Blog:
Hart's tabulation system, "Tally" supports a feature that allows an election administrator (i.e., somebody who knows the special administrator password, has the appropriate USB key token, and has access to the Tally machine) to make pretty much arbitrary changes to the election totals. This functionality operates by directly editing the totals, which goes entirely against standard bookkeeping practices (where you never, ever overwrite a number in the books; you instead add a line to the books that states what the correction is and where the error occurred). Hart's basic design allows for innocent mistakes to go uncorrected, since there is no easy way to audit any corrections that may have been made. Corrections do not show up on official election reports. Wallach also notes that as a result of the review of Hart’s system, the California Secretary of State imposed a variety of conditions on the use of Hart systems, but that in Texas, such procedures are far behind the California standards – and in his opinion are unacceptably error-prone and insecure.
As a secondary matter, the security features, intended to prevent unauthorized users from accessing this feature, are similarly inadequate. The password necessary to interact with the database is stored on the disk where any user of the machine can easily access it (see our report, pages 48-49, "Issue 15: Database passwords are stored insecurely"). Similarly, the USB tokens, used to manage cryptographic keys, turn out to all contain precisely the same key, which is used throughout the county. The very same key is stored inside machines in every precinct and can be easily extracted (see our report, pages 55-57, Section 6.7, "Cryptographic Key Management").
So, indeed, Hart has multiple lines of defense. Unfortunately, every one of them is incorrectly engineered, rendering the system entirely vulnerable to compromise. Of course, I am not stating that any such compromise has ever happened in Harris County. What I am saying is that the design of the Hart system is entirely insufficient to prevent such attacks, should a competent attacker wish to make them.
If Texas were to adopt all of the conditions of how voting systems are used in California (including parallel testing, mandatory paper trails, mandatory audits of the paper trails, limits on the number of DREs per precinct with most voters casting optical scan paper ballots, and so forth) that would be a great start.
Hart Intercivic equipment is used in 16 states nationwide. Some of those states have some of the security procedures that Wallach mentions in place, but many do not. Safeguards to help mitigate these security concerns like those required in California can and should be implemented in all jurisdictions using electronic voting systems.
Aboce all, it is important that the election officials in Harris County rightly required observers from both parties to be present when he made the correction. Under no circumstances should this type of process occur without appropriate observers. Ideally citizens should be invited to observe as well, not just representatives of the parties.
Comment on This Article
You must login to leave comments...
Other Visitors Comments
There are no comments currently....