Tuesday, February 28, 2006

Voting system certification hearing tomorrow in Sacramento

Tomorrow the Secretary of State's office will conduct a public hearing on pending certifications of voting equipment made by three different manufacturers -- Sequoia, ES&S and Hart. The Secretary of State has posted a number of documents on the agency's Voting Systems web page relating to the hearing (scroll down to "Pending Certification" to find them). The collection includes the agenda and staff and consultant reports.

Although conditional certification of Diebold voting equipment has already been granted, it is likely that many activists will be showing up for this hearing to express their opposition to that certification decision, beginning with a 9:30 a.m. news conference outside the Secretary of State's office. Those who cannot attend the hearing but wish to comment can do so by email. The address is VotingSystemComment@ss.ca.gov.

The certification of Diebold's voting systems, along with those made by the other three manufacturers would increase the number and variety of voting equipment available for counties to purchase in order to comply with the state voter-verified paper audit trail law and the federal accessibility law. All of the touchscreen systems currently used in California must under law be replaced or retrofitted with a voter-verified paper audit trail printer as of Jan. 1 of this year.

At this stage, most counties are unlikely to be considering switching vendors, and are hoping that they will be able to augment their exisitng systems to comply with the federal and state laws. Counties using Sequoia touchscreens, for example, are counting on the state to lift the condition currently in place that prevents Sequoia's touchscreens from being used in a California Primary due to a component of the system that was not examined by federal testers. According to the Sequoia staff report, federal testing on Sequoia's touchscreens has been "successfully completed" and the state has received draft reports from the federal laboratories but is still awaiting final reports. According to the staff report, "A final report must be received from Wyle upon report acceptance from NASED (National Association of State Election Directors) and prior to State certification of this system."

Thursday, February 23, 2006

New CVF web page about California's manual count law

Since I am frequently asked about California's manual count law, I figured it was time to create a new web page dedicated to this important requirement. The page features background information, the text of the law, seven steps to a meaningful manual count, and links to places where more information about manual counts and public verification of software vote counts can be found.

LA Times articles on Diebold and Voting Security

The Los Angeles Times featured two excellent articles recently about Diebold and voting security. This story by Hemmy So ran in yesterday's paper and describes the legal fallout for Stephen Heller following his release of confidential legal documents relating to Diebold's use of uncertified voting equipment. The legal memos were published by the Oakland Tribune, and ultimately Diebold settled a lawsuit resulting from their use of uncertified software. The episode raises the thorny question of whether it's a crime to commit a crime in an attempt to stop a crime -- in this case, the whistleblower, Mr. Heller, believed thousands of voters were potentially going to be disenfranchised in the next election, which ultimately was the case in San Diego.

Today's LA Times features an excellent column by business writer Michael Hiltzik questioning the recent certification of Diebold's voting equipment, especially in light of the critical security report issued by the Secretary of State's technical advisors. Excerpts from Hiltzik's column are featured below.

------------

Let's face it: When it comes to computer security, we're all slobs.

At work, we scribble our secret passwords on our desk blotters. At home, we leave our Internet connections open to be peeked through by anyone - whether the neighbor next door or a geek in pajamas halfway around the world. We forget our laptops in taxicabs, and transmit our credit card numbers to strangers over the Web.

Generally, the consequences are trivial. Most of the information let loose into cyberspace is, frankly, of no interest to anybody.

But there's no excuse for exposing the integrity of our election system to computer hackers. Yet that's what California Secretary of State Bruce McPherson may have done last week by approving electronic voting machines from Diebold Election Systems for use in California elections through the end of this year.

McPherson's approval was conditioned in part on local election officials keeping the Diebold machines under tight security before polls open. Diebold will have to make significant changes to its software and undergo further scrutiny from state and federal authorities for 2007. Given the rising panic among county registrars about having machines ready for the June primary, it's hard to avoid the impression that McPherson's decision reflected expediency more than confidence in Diebold's work.

Indeed, his ruling produced a statewide sigh of relief from county registrars, who were squeezed between a federal law requiring them to install efficient new high-tech poll machines and a state law requiring the machines to be formally certified. "This means I won't have to go to either Leavenworth or Folsom," San Diego registrar Mikel Haas told me. His county, which will stage a primary on April 11 to replace the bribe-taking Rep. Randy "Duke" Cunningham, bought 10,200 Diebold machines for $31 million in 2003, but hadn't been allowed to use them since 2004.

As the last two presidential elections demonstrate, ballot results are of profound interest to everybody - including determined hackers with partisan agendas. Therefore, it's proper to demand of the high-tech machines replacing the paper ballots and punch cards of yore that they be technologically bulletproof. The Diebold systems certified by McPherson - an optical scanner that reads hand-marked ballots and a touch screen that totes up votes directly - fall well short of that standard.

How do we know this? It's the conclusion of a panel of computer security experts McPherson commissioned specifically to study Diebold's software. Three days after they issued their report Feb. 14, McPherson gave Diebold thumbs up, noting that the panel regarded the software problems it found as "manageable" and had said the risks could be "mitigated" if election officials took care.

But the experts were plainly troubled by flaws in Diebold's systems. The panel, which included David Jefferson of Lawrence Livermore National Laboratory and David Wagner of Berkeley, observed that the removable memory cards used by Diebold were vulnerable to undetectable acts of tampering.

The panel found 16 software bugs that could cede "complete control" of the system to hackers who might then "change vote totals, modify reports, change the names of candidates, change the races being voted on," and even crash the machines, bringing an election to a halt. Hackers wouldn't need to know passwords or cryptographic keys, or have access to any other part of the system, to do their dirty work. Voters, candidates and election monitors wouldn't necessarily know they'd been rooked.

The bugs lead some computer professionals to believe that Diebold's software designers never treated security as a high priority. "It's like they were making a mechanical device, and never heard of computer security," says David Dill, an expert in electronic voting at Stanford University who wasn't on the panel.

The bugs pale next to another discovery by the panel. This is the presence of a cryptographic key written into the source code, or basic software, of every Diebold touch-screen machine in the country. The researchers called this blunder tantamount to "a bank using the same PIN code for every ATM card they issued; if this PIN code ever became known, the exposure could be tremendous."

Here's the punch line: The Diebold key became known in 2003, when it was published by researchers at Johns Hopkins and Rice universities. It can be found today via a Google search. What's worse, the key was first identified in 1997 by a University of Iowa researcher, who promptly warned the manufacturer of the flaw, apparently to no avail.

Diebold contended in 2003 that the Hopkins-Rice researchers had examined "an older version" of its code, suggesting that the flaw had been removed. But that doesn't explain why the same defect was found this year by the Berkeley panel, which wrote that it was hard-pressed "to imagine any justification" for continuing to use a cryptographic key that had been publicly compromised.

A Diebold spokesman told me that the key isn't a security issue today because election officials are instructed to override it with their own key before running the machines. McPherson's office requires county officials to perform the override as a condition to allowing them to use the machines. But many computer security experts say that's a poor solution. The human factor is an inherent flaw in any security system, and it's a mistake to rely on overstressed and overworked election officials to run through a complicated checklist, especially when the procedure would be unnecessary if the system were designed properly in the first place.

Tuesday, February 21, 2006

More details on the Secretary of State's Diebold certification

Last Friday, Secretary of State Bruce McPherson announced he has certified several pieces of Diebold equipment, includng the TSX touchscreen voting machine with a voter-verified paper audit trail printer attachment. The certification came with a number of conditions, which are more fully discussed in this report issued by members of the Secretary of State's Voting Systems Technology Assessment Advisory Board (VSTAAB). The Secretary of State has also made public this letter to Diebold, and the certification document, which outlines the conditions under which the equipment may be used in California.

The certification is controversial because it has come after a security flaw was identified by Harri Hursti, who demonstrated how Diebold's code could be exploited to alter vote totals without leaving any trace of the attack. The VSTAAB members discussed this in their report, which concluded that these known security risks could be addressed through tighter procedures, which are reflected in the certification conditions.

Coverage of the certification was featured in this article by Kevin Yamamura in Saturday's Sacramento Bee and this Oakland Tribune article by Ian Hoffman, excerpts from which are featured below.

---------

After almost three years, Diebold Election Systems won approval Friday to sell its latest voting machines in California, despite findings by computer scientists that the software inside is probably illegal and has security holes found in earlier Diebold products.

The scientists advised Secretary of State Bruce McPherson last week that those risks were "manageable" and could be "mitigated" by tightening security around Diebold's voting machines.

McPherson gave conditional approval to Diebold's latest touch-screen voting machines and optical scanners Friday, while his staff ordered the McKinney, Texas-based company to get rid of the security holes as quickly as possible.

In a statement, McPherson said, "after rigorous scrutiny, I have determined that these Diebold systems can be used for the 2006 elections."

The decision is likely to set off a buying spree for as many as 21 counties, more than a third of the state, as local elections officials rush to acquire one ofonly two voting systems approved for use in the 2006 elections. Registrars and clerks prefer having voting systems for at least six months before conducting a statewide primary like the one in June, partly because it is California's most complicated and error-prone type of election.

---

McPherson's approval comes just in time for San Diego County, which bought the new machines in 2003, used them once in 2004, then saw the state's approval withdrawn. The county has been warehousing 10,000 Diebold AccuVote TSx touch-screens for more than two years and withholding its $35 million payment to Diebold until approval. Now, with an election set for early April to replace Rep. Duke Cunningham, San Diego can use those machines. In June, so could San Joaquin County, which also bought and has been storing the new touchscreens trusting on approval.

---

Sen. Debra Bowen, who chairs the Senate elections committee and is running for the Democratic nomination to challenge McPherson as secretary of state, criticized the approval as contrary to state and federal law.

Part of the software running in Diebold's touch-screens and optical scanners is what computer scientists call "interpreted code" that is loaded by memory cards or PC cards just before an election. That changes the software that private testing labs and states had tested and approved, and for that reason interpreted code is prohibited by federal 2002 voting system standards.

McPherson found that private laboratories charged with testing Diebold's machines for compliance with the federal standards never examined the interpreted code and ordered Diebold back into lab testing. At the same time, he asked a team of scientific advisers from Lawrence Livermore National Laboratory, the University of California, Berkeley and UC Davis, to study the interpreted code and report back. The panel included computer scientists who have been skeptical, even critical of electronic voting systems, such as David Jefferson, Matt Bishop and David Wagner.

The scientists recommended counties change the encryption keys on all Diebold touch-screens and maintain tighter controls over the memory cards and PC cards, for example by requiring two people be present whenever the cards are moved or their contents changed. Serial numbers for the cards and the tamper-proof seals to lock them into the voting machines will have to be logged by elections officials at each polling place.

McPherson adopted those recommendations in certifying the Diebold machines for the June and November statewide elections. His staff wrote Diebold Friday urging the company to fix the bugs in its software and eventually to get rid of the interpreted code entirely.

Friday, February 17, 2006

Secretary of State grants conditional certification for Diebold voting systems

Today California Secretary of State Bruce McPherson issued this news release announcing he has granted conditional certification of Diebold's optical scan and touchscreen TSx voting systems. This news will bring some relief to counties using Diebold equipment which are anxious to upgrade their systems to meet the state voter verified paper audit trail requirement and federal disability access requirement.

The certification of this system was controversial because the Secretary of State discovered that there was interpreted code featured in these two voting systems that was written by Diebold and not evaluated by the federal testing authorities. The Secretary of State sent the code back to the federal testers and asked them to look at it; so far that request has not been fulfilled.

The Secretary of State also asked his Voting Systems Technology Assessment Advisory Board to look at the code in question. This committee is made up of computer scientists, including David Jefferson (one of CVF's board members) and David Wagner of UC Berkeley. The advisory board's report is not yet available online but the Secretary of State's announcement today summarizes the conditions that must be met by counties that will use the Diebold systems.

Wednesday, February 15, 2006

Senate Elections Committee hearing on voting equipment testing tomorrow

Tomorrow the California Senate Elections Committee, chaired by State Senator Debra Bowen, will hold a public informational hearing in Menlo Park to explore the state and federal processes of testing and certifying voting equipment. Several members of the National Science Foundation-funded ACCURATE project will be speaking at the hearing, including computer scientists Avi Rubin, Dan Wallach, David Dill and Peter Neumann. Representatives of county election offices are also scheduled to testify.

Sen. Bowen's hearing dovetails with the ACCURATE workshop taking place the following day in Palo Alto. I'll be attending both events and am chairing a panel discussion at the ACCURATE workshop that will explore what are the most critical research problems for elections.

Thursday's Senate Elections Committee begins at 1 p.m. and will be held at the Menlo Park City Council chambers. See Senator Bowen's news release for more details about the hearing.

Thursday, February 9, 2006

Review of the Senate hearing on open source software in voting systems

Is there a place for open source software in California's electoral system? That was the question asked at yesterday's Senate Elections Committee hearing at the California State Capitol. An archived webcast of the hearing is available online from the California Channel, which will also broadcast it tomorrow (Friday) at 11 a.m. Below is my recap of the hearing as well as the testimony I provided.

State Senator Debra Bowen, who chairs the elections committee, ran the hearing, which was comprised of two panels. The first included experts from the open source industry and representatives from California agencies and a university utilizing open source software. Clark Kelso's testimony was particularly compelling, Kelso, Chief Information Officer for the State of California, briefly described the historic use of computers in California government.

Kelso said that thirty to forty years ago, the state was engaged in its own software development activities, typically on mainframes, and was successful in developing and acquiring stable programs to support state needs. Today many of those legacy systems are stable and still serving the state very well, according to Kelso. Starting in the 80's and 90's, state agencies began to use more commercial off-the-shelf (COTS) software.

Kelso said that the Air Resources Board is the leading department that has begun turning to open source solutions. The agency maintains a culture in their workforce that supports the use of open source, and the strategy has been successful in that it reduces costs, reduces the amount of time needed to develop technology, and helps the agency avoid procurement cycles. This last point is highly relevant to voting systems equipment, where a long procurement cycle often forces counties to limit their options to considering only equipment from vendors that is certified when the procurement process begins.

According to Kelso, the state's policy on open source is that it is an alternative that should be considered and that it is up to project owners to determine the best architecture for their projects. Factors to be considered in making decisions about technology projects include security, reliability, performance, sustainability, development and maintenance risks, technology trends and cost.

The second panel explored the potential use of open source software in the election process. Deirdre Mulligan, director of the Samuelson Clinic at UC Berkeley's Boalt Law School (and a CVF board member) noted that voting systems used to be observable, not just by experts but the public. The move to electronic voting has created barriers for the public and election officials to oversee the technology and have confidence that their votes are captured and counted as intended.

Joe Hall, Ph.D. student at the UC Berkeley School of Information, noted that there are many barriers to any business or nonprofit seeking to provide an open source voting system. There are regulatory barriers, since voting systems must be federally tested and state certified, which may be difficult for new businesses or nonprofits to manage. Hall pointed to a hybrid model, called the Sakai Project, in which universities that were tired of paying management fees for course software got together and created their own consortium to provide the software. Universities that participate must donate coders and pay yearly dues to support the software. Hall suggested a similar consortium of counties, or even states, could achieve something similar for voting systems. (See Hall's blog for their testimony and thoughts on the hearing.)

There was a third panel scheduled, to be comprised of vendors, but none of the vendors attended the hearing, and instead had the Information Technology Association of America (ITAA) send written testimony on their behalf. In it, the ITAA states: "Several states have considered source code review or disclosure requirements for voting systems. Our Election Technology Council members believe that these proposals are ill-advised. Review by, or disclosure to, the general public will not improve the efficiency or effectiveness of voting systems software inspection." Senator Bowen expressed disappointment that the vendors chose not to attend, and noted that it may be necessary to compel their participation in future hearings through a subpoena.

I spoke briefly during the public testimony portion of the hearing. Below is my testimony.

--------

Open source software in voting systems is good, but not good enough. there is no guarantee that the code that's been inspected is the same code that is running everywhere. Security is county election offices is not airtight, and software patches are at times installed without authorization or with limited scrutiny.

We need to avoid finding ourselves in the situation where we ask the public to trust the experts. You should not need to be able to read computer code to have confidence in the integrity of the vote count. This is why the paper trail is essential and why public audits of software vote counts using that paper trail are essential -- having the paper trail and using it to publicly verify software vote counts provides broad public access to meaningful verification of the software's performance. Open source software cannot do that. What it can do is give more people a reasonable degree of confidence that the voting systems will work as expected. But open source software alone cannot verify the accuracy of the vote count -- it cannot verify what actually happened on election day.

That said, it is simply common sense that there is something intuitively wrong with using proprietary software to conduct our elections. Perhaps a private sector vendor will make a public source code voting system, and perhaps some counties will buy it. But if we really were to be serious about integrating public code into our voting systems, we would need to create our own voting system. We would need to invest public money into developing a new system from scratch.

It could be done, and if it's going to happen anywhere, it will be California. But such a system would not negate the need for a voter verified paper audit trail and public audits of software vote counts.

Tuesday, February 7, 2006

Hearing on Open Source Software for voting systems tomorrow in Sacramento

A public hearing will take place tomorrow, February 8 at the State Capitol in Room 112 to examine whether open source software has a place in California's electoral system. The hearing agenda includes CVF Board Member Deirdre Mulligan of Boalt Law School, Peter Neumann from SRI International, and several other invited speakers such as representatives from voting equipment manufacturers.

The hearing starts at 9 a.m. and will most likely last several hours. For those who can't make it to Sacramento, you should be able to watch a live webcast of the hearing on the California Channel, which will also broadcast it the following day, February 9 at 12 noon. Also check out the new open source software report issued by the Secretary of State, which provides a lot of background information on this topic and concludes that further study is needed. Hopefully tomorrow's hearing will help to further flesh out the debate over open source software in voting systems.

Monday, February 6, 2006

Voting systems move closer to certification

Voting systems that meet federal accessibility and state paper audit trail security requirements have passed an important hurdle in the state's certification process. According to this Oakland Tribune article by Ian Hoffman, systems manufactured by Hart, ES&S, Sequoia and Populex have cleared federal testing and are now moving through the state certification process, much to the relief of county registrars who are anxiously awaiting approval of these systems in order to comply with the new state and federal requirements.

Last week the Secretary of State announced that a public certification hearing will take place on March 1 in Sacramento, and the four manufacturers are listed on the agenda. Absent from the agenda is Diebold, whose voting system is still pending certification while federal and state testers further scrutinize the code contained in the system. Since the Secretary of State has already held a public hearing on the Diebold system, no further hearings are required before the Secretary of State makes a final decision.

Though the certification process is moving forward, many counties are still hoping that they will be able to bypass the challenge of purchasing and deploying new equipment for the June election by moving to mail-in balloting. Today's San Jose Mercury News includes an editorial in support of this option. Excerpts are featured below.

------

A mail-in only ballot would give the Secretary of State's office time to thoroughly vet the electronic voting systems without feeling the political pressure of an impending deadline. It also would give the counties time to negotiate deals and train poll workers for the November election.

For 40 percent of state voters, an all mail-in ballot would mean no change in their habits; they already vote by absentee ballot. And yet a mail-in election bill faces tough odds and would require a two-thirds majority of the Legislature for passage. For the wrong reasons, legislators generally have opposed mail-in elections. Elections consultants hate them, and Republicans and Democrats both suspect they would advantage the other party. (It would be a moot argument this time, since the June election is a primary.) There are undocumented claims of widespread vote-tampering.

It is quite possible that the systems will be authorized in the nick of time. As of last week, all major systems except for Diebold's, which is used by 18 counties, have received feds' OK and are undergoing state testing and public review. Santa Clara County, which has bought and used Sequoia Voting Systems' touch-screen machines, is betting on certification.

Why chance it? Counties should have some flexibility.

Wednesday, February 1, 2006

Open Source, Voting Equipment Certification Process to be discussed at upcoming hearings

The Senate elections committee, chaired by State Sen. Debra Bowen has scheduled public hearings on two major voting technology issues -- open source and the certification process. In announcing the hearings, Bowen said, "To restore people’s faith in the system and ensure ballots are tallied accurately, we need to turn on the lights and let people see the nuts and bolts of how the technology works and how it’s tested for accuracy.”

The Open Source hearing takes place in Sacramento on Wednesday, February 8, 9 a.m. The Certification hearing will be in Menlo Park on Wednesday, February 16, 1 p.m.

More details from the Jan. 27 news release announcing the hearings are featured below.

---------

Questions about whether California should move toward using electronic voting systems that rely on “open source software” and how exactly voting systems are tested and certified for use will be the subject of two hearings scheduled today by Senator Debra Bowen (D-Redondo Beach), the chairwoman of the Senate Elections, Reapportionment & Constitutional Amendments Committee.

---

The first hearing on February 8th will focus on the open source software issue. “Open source software” has been around for several decades, but it’s become more popular in recent years. Some of the more well-known names in the open source software world are Firefox (an Internet browser), Linux (an operating system), and Red Hat (which sells and supports a version of Linux for businesses). Witnesses will include experts on the benefits and shortcomings of open source software in general, businesses and government agencies that rely on open source software, experts on the challenges of using open source software in an electoral setting, and voting machine vendors. The hearing will be in Room 112 at the State Capitol and will begin at 9:00 a.m.

---

The second hearing on February 16th will look at the process of how exactly voting systems are certified for use in California. Witnesses will discuss how the process works, what roles the Elections Assistance Commission, the Independent Testing Authorities (ITA), the voting machine vendors, and the state play in the process – and about what the flaws are in the current system. The hearing will be held in the Menlo Park City Council Chambers at 1:00 p.m. The following day, researchers from around the U.S. who are studying voting technology as part of ACCURATE (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections) will be meeting in Menlo Park, led by nationally-recognized Johns Hopkins University Professor Avi Rubin.

---

“The federal testing process is notoriously weak and it’s done in secret,” continued Bowen. “These supposedly ‘independent testing authorities’ are not only paid for by the voting machine industry, but they also conduct their tests behind closed doors. We need to do away with the secrecy and the ‘Trust us, we know what we’re doing’ approach the voting machine vendors and the Secretary of State are taking with this issue, because California voters deserve a process that’s as open and transparent as possible.”