Every voting system includes a key component, called the ballot definition file (BDF), that is never subjected to an outside review. Given that BDFs determine the way votes are recorded and counted, the lack of independent oversight of these files is a major security vulnerability. If BDFs are incorrectly prepared, the wrong candidate could be elected. Furthermore, while BDFs may be primarily data, they also include logic and perhaps even other software that could change the outcome of an election.

BDFs are unique for each election and define all the races and candidates for each precinct. BDFs tell the voting machine software how to interpret a voter's touches on a screen or marks on an optical scan ballot (including absentee ballots), how to record those selections as votes, and how to combine them into the final tally.

Programming election data is a very complex process, especially in counties with hundreds of different ballot styles, and a single error can jeopardize the outcome of an election.

Some election districts lack the technical expertise to prepare BDFs, and instead depend on the vendor or outside programmers for the preparation. Others prepare the BDFs themselves. In both cases, however, BDFs undergo very little testing and no independent audit before being used to determine the results of an election. Little wonder that many serious election disruptions have been caused by ballot definition errors. Other BDF errors have probably gone unnoticed, and some may have affected election outcomes. Read the Entire Article

Steven Hill is director of the Political Reform Program of the New America Foundation. This article, excerpted from the author’s new book, 10 Steps to Repair American Democracy appeared on tompaine.com on June 5, 2006, the day before the California primary election. Part I of a two-part series. Part II "Recipe For A Fair Election" outlines a forward-looking agenda for how to secure the vote in the United States. the articles are reposted here with permission of the author.

Will your vote count on Tuesday? As we head into another election season - with control of Congress potentially up for grabs - ongoing concerns about voting equipment and election administration continue to worry fair elections advocates. Recent headlines have added to previous fears, but there are also signs that effective advocacy is paying off.

Last month, The New York Times and other news media reported on a new security glitch uncovered in election equipment manufacturer Diebold Election System's ATM-like touch-screen voting machines. Voting technology experts have called it the "worst security flaw ever" - any person with basic knowledge and a minute or two of access to a Diebold touch screen could load virtually any software into the machine and disable it, redistribute votes or alter its performance in myriad ways without being detected.

"This [security flaw] is worse than any of the others I've seen. It's more fundamental," said Douglas Jones, a University of Iowa computer scientist and veteran voting system examiner for the state of Iowa. "In the other ones, we've been arguing about the security of the locks on the front door. Now we find that there's no back door.”

Incredibly, media reports withheld some details of the vulnerability at the request of elections officials and scientists, partly because exploiting the security hole is so easy that providing details would give a roadmap to a potential hacker. Read the Entire Article

Connecting Work on Threat Analysis to the Real World
by Douglas W. Jones, The University of Iowa - June 19, 2006

This paper was presented at Threat Analyses for Voting System Categories: A Workshop on Rating Voting Methods,
at George Washington University, June 8-9, 2006. It is posted here with permission of the author.

As a prefatory remark, I should note that I initially hesitated to present this paper because it names vendors and describes long-standing problems with some of their products. But there is no way around this. If we cannot speak about real systems and real threats here, where can we speak about them? In any event, while products made by Diebold feature prominently here, they are not the only vendor I mention, and my intent is to focus on the larger system that allowed these problems to persist years after they were first uncovered, not to focus on the
particular vendors that were responsible for these problems in the first place.

A Voting System Security Problem

Almost a decade ago, on November 6, 1997, I had the opportunity to examine a new voting system developed by I-Mark Systems and recently acquired by Global Election Systems. At the time, I was serving on the Iowa Board of Examiners for Voting Machines and Electronic Voting Systems, and the vendor, Global, had brought their AccuTouch system to us for examination. It did not take me long to find a significant security vulnerability. I pointed this out
to the vendor's representatives who were present at the examination, and I assumed that this was a sufficient action on my part.

It seemed unnecessary to raise a public alarm or to call in the press. The meeting where I pointed this problem out was a public meeting, although I don't recall more than one or two county election officials being present as members of the public. The minutes of the meeting are a public record, available to anyone. They described the security vulnerability as follows: "Dr. Jones also expressed concern about data encryption standards used to guarantee the integrity of the data on the machine. DES requires the use of electronic keys to lock and unlock all critical data. Currently all machines use the same key."

As I recall the discussion that was reported so tersely in the minutes, I told Bob Urosevich and Barry Herron, the Global representatives at the meeting, that embedding the encryption keys in the source code might be acceptable in a prototype proof-of-concept system, but that they needed to do better key management before the system went into widespread public use. I told them that, so long as the encryption keys were in the source code, they needed to guarantee that the source code would be tightly guarded, and they needed to guarantee that no voting systems would ever be sent to the landfill or to surplus sales outlets without first deleting all object code from them.

What alarmed as much as the security flaw I'd found was the fact that Wyle Labs, the Independent Testing Authority that had examined the I-Mark system, had not seen the problem. Their September 10, 1996 report on Qualification Testing of the I-Mark Electronic Ballot Station contained enough information to reveal the presence of the key-management problem I had identified, but the source code examiners had not noticed any problem, and in fact, the report indicated that the security of this system was particularly impressive because of its use of DES. Read the Entire Paper

At its 47th biennial national convention last week in Minneapolis, the League of Women Voters (LWVUS) passed a resolution in support of voter-verified paper records and mandatory random manual audits of voting systems nationwide. The resolution was drafted by the League of Women Voters Minnesota (LWVMN). The resolution is applauded by VoteTrustUSA, VotersUnite.org, Verified Voting, and election integrity organizations across the country.

Rep. Rush Holt (D-NJ), who has introduced legislation to establish a requirement for voter verified paper records and audits was enthusiastic in his praise of the League's decision. "I am delighted that the League of Women Voters has embraced the concept contained in my Voter Confidence and Increased Accessibility Act of 2005 (H.R. 550). As the League noted, 'Paperless electronic voting systems are not inherently secure, can malfunction, and do not provide a recountable audit trail.' We will be unable to remove doubt about the results of elections using such machines until there is a national standard requiring auditability."

"Today, one of the leading voices in election integrity was loud and clear: a voter-verified paper ballot is fundamental to honest, auditable elections."

Barbara Simons, a Board member of Verified Voting, and past chair of the Association for Computing Machinery (ACM) stated, "I'm thrilled that the League has reaffirmed its core value of protecting the citizens' right to vote and have that vote accurately counted." Read the Entire Article

With another election season around the corner, activists are concerned that electronic voting machines supplied by a handful of American corporations are bug-ridden and easily tampered with, but the road to redress is rough and windy.

While this newly exposed security flaw is serious, Shamos said he isn't surprised because Diebold has "a history of not paying attention to security."

This article appeared in The New Standard on May 16, 2006. It is reposted here with permission of the publisher.

From serious security flaws that could allow hackers easy access to electronic voting systems, to routine computer malfunctions and undelivered software, state and local officials are one-by-one joining voter-access groups and computer scientists in questioning the reliability of the three major suppliers of electronic voting machines.

The latest security flaw to be uncovered affects thousands of Diebold touch-screen voting machines across the country. Computer scientist Michael Shamos, a professor at Carnegie Mellon University and one of the examiners that tested several companies' machines in Pennsylvania, described the defect as a "misfeature" originally designed by Diebold to let field technicians update machine software quickly.

But, he said, it also would permit someone to upload their own software onto a voting machine with the aim of tampering with election results. Shamos said the problem is the "biggest we've ever seen."

Pennsylvania's primary was Tuesday and Shamos said he would be at the polls monitoring the electronic tabulations.

Last week, voter-access group Black Box Voting (BBV) released the report of Finnish computer scientist Harri Hursti, who discovered the "back door" into Diebold touch-screen systems earlier this spring when examining machines in Emery County, Utah. Bruce Funk, an Emery County clerk of 23 years, had sought independent analysis of his county's machines after he discovered numerous problems and was unsatisfied with Diebold's response. Read the Entire Article

In an unusual development, and voting machine manufacturer - Diebold Election Systems - has both accepted responsibility for problems with their equipment. The primary election earlier this month in Kern County, California was plagued with long lines, with many voters being turned away from polling places.

Kern County spent $5 million on the Diebold touch-screen voting system in 2004. On Election Day the machines are activated for each voter by a 'smart card'. The county didn't buy enough of the voter activation card in 2004, so they purchased more for this year's elections.

The new cards worked with extra security software added to shortly before the June elections, but the old cards didn't. Training and testing of the election system was done with the new cards. When the voters tried to use the old cards on Election Day they were rejected by the new security system.

According to a report on KERO News, Diebold Vice President Steven Moreland "took full responsibility for the snafu", saying "the company didn't know the enhanced security measure on their voting machines would reject old voter access cards." Read the Entire Article

"Florida's first priority is to protect the vendors. We'll let California worry about the damn voters."

For a county supervisor of elections needing someone to test the vulnerabilities of his voting system, Dan Wallach's the man.

Wallach (pictured at left), who runs the security computer lab at Rice University, is a nationally regarded expert on computer network security and voting system vulnerabilities. He's associate director of ACCURATE (A Center for Correct, Usable, Reliable, Auditable and Transparent Elections). Besides, his parents live in Lauderdale-by-the-Sea.

Wallach and his associates at ACCURATE may represent academia's leading experts on voting system security, but under the new rules promulgated by the Florida Secretary of State, they don't qualify.

Any security test, the secretary of state's office insists, must be performed by someone certified by the American Software Testing Qualifications Board, the American Society for Quality or the EC (E-Commerce) Council.

Not only is Wallach not certified by the three organizations, ''I've never heard of them,'' he says.

Actually, the first two organizations are concerned with the overall quality of manufactured software, not security. The EC Council website offers a five-day training course into something called ''ethical hacking.'' Five days of training, under the new rules, would trump the most sophisticated résumés in computer science.

Computer professor David Dill, of Stanford University, who served on California's Ad Hoc Task Force on Touch Screen Voting, and whose degree -- not the five-day kind -- comes from MIT, added his apprehensions to the comments on the proposed rules the Florida Secretary of State's office collected Monday. He said they would ``would exclude the most competent evaluators, such as those who have found most of the reported security holes in existing voting systems.

''I have checked with several computer security experts, who not only do not have these qualifications, but, like me, have never heard of them. A little research on the Web reveals these certifications to be of dubious relevance to voting system evaluation,'' Dill wrote.

Other rules would require that the voting-machine vendors and the secretary's office get advance notice of any security test. And a supervisor of elections contemplating a security test must first take special pains to protect the machine manufacturer's secret operating code. Read the Entire Article

Georgians for Verified Voting and Defenders of Democracy recently called for the resignation of Secretary of State Cathy Cox for her position as the state's chief election adminstrator. they also called for the immediate de-certification of diebold election equipment for use in the state. The formal request and the state's response can be downloaded here. The following letter will be presented to the Georgia State Board of Elections on June 19, 2006.

As representatives of the undersigned groups, we are calling on the Georgia State Election Board and the Office of the Secretary of State to immediately decertify the state’s Diebold Election System (DES). We call for the Georgia Elections Division to begin immediate preparations for the deployment of an alternative means of voting in time for the 2006 primaries and General Election.

A security vulnerability recently exposed in the architecture of the DES is being called a "major national security risk" by computer science and security experts. The effect of this vulnerability is that voting systems could be infected throughout an entire state, enabling an attacker to alter election results on a massive scale without detection. Once the vulnerability is exploited, the voting system could be under the control of the attacker, not only for the current election, but also for future elections.

"It's the most severe security flaw ever discovered in a voting system," said Michael I. Shamos, a professor of computer science at Carnegie Mellon University who is an examiner of electronic voting systems for Pennsylvania."

The computer scientists who are knowledgeable of the technical details of this vulnerability state that the problem cannot be fixed or "cleaned up". It represents an open backdoor that is part of the design of the Diebold TS-R6 and TSX voting systems.

"It is like the nuclear bomb for e-voting systems," said Avi Rubin, computer science professor at Johns Hopkins University. "It's the deal breaker. It really makes the security flaws that we found (in prior years) look trivial." Read the Entire Article

New York to vote on lever machines in 2006, but complacency is not an option

This update on the situation in New York appeared on Bo Lipari's Weblog. It is reposted here with permission of the author.

There’s a good deal of well deserved confusion about the situation in New York State regarding HAVA implementation. The question on concerned citizens' minds is: will New York be voting on new systems in the 2006 elections? So let's clear up what's going on in the Empire State as of June 2006.

It’s well known that New York got a very late start on making plans for HAVA. By the time the US Department of Justice (DOJ) sued NY for HAVA non-compliance on March 1, 2006, it had become clear to those who understood the size and complexity of the task that any attempt to replace NY’s lever machines by September would result in an electoral train wreck. I’ll talk more about the Department of Justice lawsuit in my next post, for now skipping ahead to the end – the DOJ, the State of New York and the US District Court have agreed that it is not possible to replace lever machines this year, and have agreed instead to an interim option, colloquially referred to as “Plan B”. Read the Entire Article

This report of irregularities in the May 16 Pennsylvania Primary Election was prepared for VotePA. It is available for download in PDF format here. The images referred in the report can be viewed in the PDF document.

Background

On May 16th, 2006, Allegheny County voters encountered a new polling-place environment. The gear-and-lever machines which we were familiar with after decades of use were retired due to a federal mandate resulting from the federal Help America Vote Act (HAVA). HAVA's goals include increasing the accessibility of the voting process to all voters and providing increased assurance of voting-system accuracy and reliability. VotePA is a statewide volunteer organization advocating secure, accessible, and recountable voting for all Pennsylvanians. Less than two months before the primary election, the Allegheny County Board of Elections selected the ES&S iVotronic electronic voting machine, which provides no mechanism, such as a printed paper ballot, for voters to personally verify that the machine accurately records their votes. This report documents irregularities occurring during the May 16th primary which cast serious doubt on the integrity of the voting process.

Serious procedural, operational, and design issues call into question the results from iVotronic voting machines used in Allegheny County in the May 16th primary election. It appears that two different models of the ES&S iVotronic machine were used, one of which was not legally certified. Poll-worker statements and post-election analysis of voting-machine printouts from the election reveal that electronic voting machines ran program code not legally certified for use in Pennsylvania. Other print-outs demonstrate operational problems at many polling places and serious problems with the integrity of the iVotronic "zero-print" function, which is supposed to assure the public that electronic "ballot-box stuffing" does not occur. Read the Entire Article

Voters, civil rights groups and a statewide candidate filed a petition Wednesday to prevent the State of Texas from using unreliable electronic voting machines in the November elections.

Travis County voter Sonia Santana, the NAACP of Austin, its president, Nelson Linder, also a Travis County voter, and David Van Os, a candidate for attorney general, filed a petition asking the court to enjoin the county from using voting machines that do not produce a paper ballot. The Texas Civil Rights Project represents the plaintiffs.

"Voters deserve the assurance their voices will be heard," said Jim Harrington, director of the Texas Civil Rights Project. "By using machines that provide no permanent record, the state is failing in its constitutional duty to provide the people with an election in which they can trust the results."

More than half the states now require their electronic voting machines to print a paper ballot when the voter casts his or her vote. The voter reads his or her ballot to make sure it recorded the vote he or she intended and then casts both the electronic and paper ballots. Read the Entire Article