“As long as I count the votes” dep’t: Edward Felten

The contracts between Sequoia Voting Systems and local elections officials give the company the power to prevent any inquiry into whether its machines work as advertised.

The vulnerability of paperless voting systems to undetectable manipulation is one of those genuine problems that unfortunately attract so many tinfoil-hat conspiracy theorists as to make them hard to pay serious attention to. So I’m grateful to WhyTuesday.org for pointing me to Edward Felten of Princeton, whose blog Freedom to Tinker has a wealth of calm and interesting analysis.

In his interview with WhyTuesday, Felten makes what seems to me a shocking revelation: under the contracts between the voting machine companies and the local election authorities &#8212 contracts paid for by federal tax dollars &#8212 the companies have the power to stop elections officials from investigating apparent irregularities. Sequoia Voting Systems threatened Union County, NJ with a lawsuit if Union County allowed Felten to examine its machines, and Union County backed off.

What are they hiding? And how long is Congress going to put up with it? The notion that a private entity with a direct interest in the outcome can prevent inquiry into whether its products work as advertised, and in so doing make it impossible to know whether the votes reported match the votes cast, is outrageous on its face. We’re playing for high stakes with Big Jule’s dice.

Footnote And of course this points up the colossal bad faith of the Republican politicians and their media and judicial lapdogs in making a fuss about the nonexistent problem of false-identity voting (in order to disenfranchise poor and elderly people who don’t have the “right” forms of identification) while not demanding even elementary standards of transparency from the voting-machine industry. If you’re worried about one person casting votes in multiple names, there’s a low-tech solution. Inky fingers, anyone? But since that doesn’t result in disenfranchisement of people likely to vote Democratic, the Republicans aren’t interested.

But …. but …. but ….

… who cares if Venezuela owns a piece of Sequoia Voting Systems. It’s not as if there’s any way to cheat, is there?

… we all know that electronic voting machines are basically hack-proof, and there’s no way the political leanings of those who make the machines and the software (e.g., the fervent Republicanism of the CEO of Diebold) could possibly matter. Anyone who thinks otherwise is a conspiracy theorist who’s probably shy a tinfoil hat. Right?

So why is it a problem if the Venezualan government own a piece of the parent company of Sequoia Voting Systems?

Actually, I’m pleased. Maybe this will finally get the black box issue the attention it deserves.

It turns out there’s a simple solution, by the way: a touch-screen machine that prints out a paper ballot for the voter to drop into the ballot box. The ballots are machine-readable, but there’s something physical to recount if a recount is needed.

Better late than never

The Washington Post finally reports — a month after it happened — about the dramatic public demonstration that the vote counts coming out of Diebold opscan machines have no necessary connection to the votes going in to Diebold opscan machines.

The Washington Post breaks the virtual Big Media embargo on the news that Diebold’s optical-scanning voting equipment turns out to be almost trivially easy to hack.

As the Leon County supervisor of elections, Ion Sancho’s job is to make sure voting is free of fraud. But the most brazen effort lately to manipulate election results in this Florida locality was carried out by Sancho himself.

Four times over the past year Sancho told computer specialists to break in to his voting system. And on all four occasions they did, changing results with what the specialists described as relatively unsophisticated hacking techniques. To Sancho, the results showed the vulnerability of voting equipment manufactured by Ohio-based Diebold Election Systems, which is used by Leon County and many other jurisdictions around the country.

Sancho’s most recent demonstration was last month. Harri Hursti, a computer security expert from Finland, manipulated the “memory card” that records the votes of ballots run through an optical scanning machine.

Then, in a warehouse a few blocks from his office in downtown Tallahassee, Sancho and seven other people held a referendum. The question on the ballot:

“Can the votes of this Diebold system be hacked using the memory card?”

Two people marked yes on their ballots, and six no. The optical scan machine read the ballots, and the data were transmitted to a final tabulator. The result? Seven yes, one no.

Of course, that’s deja lu to anyone who’s been reading the BlackBoxVoting website. As the Post story notes, Harri Hursti’s dramatic public demonstration took place more than a month ago. It’s good to know that neither the Post nor its competitors feels any childish impulse to report the news first, or even while it’s still new.

Of course, we all know that anyone who thinks that the votes as counted in 2004 were different enough from the votes as cast to turn the election results around is paranoid. But, in light of the Florida test, and the density of Diebold machines in Ohio, I’d like to be reminded just how we know that.

Update It looks as if Alaska had some serious vote-counting problems. No one in his right mind thinks Kerry carried Alaska, but the Alaska Senate race was heartbreakingly close: Murkowski saved her seat by fewer than 10,000 votes.

How many votes were stolen in Ohio?

Hitchens says: quite a few. Worth checking out.

Gary Farber makes two good points.

1. Christopher Hitchens offers a reasonable prima facie case that there was large-scale dirty work in the Ohio vote count: unaccountable patterns of undervotes and votes counted for fringe candidates, on top of the ordinary business of making sure that places where Democrats vote didn’t have enough machines.

2. The fact that Hitchens supported Bush creates a presumption that he isn’t just making it up.

Hitchens doesn’t strike me as an especially reliable reporter, so I wouldn’t just take his word for it. But he’s no fool, and the story he tells seems convincing. So I’m inclined to take it seriously unless and until someone shows that it isn’t right.

Can you say “undemocratic”?

Diebold is trying to use the copyright laws to stifle discussion of whether its proprietary (read: secret and unaccountable) vote-counting software, which due to the lack of paper ballots provides no audit trail whatever, can be used — perhaps even has been used — to steal elections. The Electronic Frontier Foundation is resisting.

Update More from Tom Runnacles, who says that he wouldn’t use one of the key software elements in the Diebold system to manage a piggy bank.

Guess which side I’m on?

Of course, by trying to prevent the posting of the memos, Diebold in effect concedes that they are genuine.

The threat here is impossible to overstate. If the party currently in power can give the contract to count the votes to its friends, and if the count can be set up in a way such that cheating is easy and recounting impossible, then the party in power can stay in power forever.

Update Tom Runnacles at Crooked Timber, who (unlike me) seems to know a RDBMS from a hole in the ground, says he wouldn’t trust Access, a seemingly a key piece of the Diebold system, to run a piggy bank.

And here’s the Scoop item with some of the incriminating memos. Diebold’s technical folks tell one another (1) The existing system can be cracked, and its audit log modified, without a password; (2) That could be fixed by using a password; (3) Such a step should be taken if the customers want it; but (4) It won’t matter because there are better and easier ways to crack the system.

Right now you can open GEMS’ .mdb file with MS-Access, and alter its contents. That includes the audit log. This isn’t anything new. In VTS, you can open the database with progress and do the same. The same would go for anyone else’s system using whatever database they are using. Hard drives are read-write entities. You can change their contents.

Now, where the perception comes in is that its right now very *easy* to change the contents. Double click the .mdb file. Even technical wizards at Metamor (or Ciber, or whatever) can figure that one out.

It is possible to put a secret password on the .mdb file to prevent Metamor from opening it with Access. I’ve threatened to put a password on the .mdb before when dealers/customers/support have done stupid things with the GEMS database structure using Access. Being able to end-run the database has admittedly got people out of a bind though. Jane (I think it was Jane) did some fancy footwork on the .mdb file in Gaston recently. I know our dealers do it. King County is famous for it. That’s why we’ve never put a password on the file before.

Note however that even if we put a password on the file, it doesn’t really prove much. Someone has to know the password, else how would GEMS open it. So this technically brings us back to square one: the audit log is modifiable by that person at least (read, me). Back to perception though, if you don’t bring this up you might skate through Metamor.

There might be some clever crypto techniques to make it even harder to change the log (for me, they guy with the password that is). We’re talking big changes here though, and at the moment largely theoretical ones. I’d doubt that any of our competitors are that clever.

By the way, all of this is why Texas gets its sh*t in a knot over the log printer. Log printers are not read-write, so you don’t have the problem. Of course if I were Texas I would be more worried about modifications to our electronic ballots than to our electron logs, but that is another story I guess.

Bottom line on Metamor is to find out what it is going to take to make them happy. You can try the old standard of the NT password gains access to the operating system, and that after that point all bets are off. You have to trust the person with the NT password at least. This is all about Florida, and we have had VTS certified in Florida under the status quo for nearly ten years.

As long as our software counts the votes,
    what are you going to do about it?

I don’t really know how seriously to take the risk that electronic voting systems are subject to undetectable rigging at the software level, but I know that it’s a risk I’d rather not have to think about at all. Rep. Rush Holt of New Jersey (who used to be Assistant Director of the Plasma Physics Lab at Princeton) has proposed a law that would make me sleep easier: it would require, among other things, a paper record of every vote and random audits. South Knox Bubba has the details. The fact that such simple safeguards didn’t make it into the “election reform” bill might hint, to someone more conspiratorially minded than I, that the Republican leadership doesn’t really mind a little bit of voter fraud, as long as their friends get to do it.

Write your Congressman.