Focuses on Testing the Machines, Ignores the History of the Vendor
and that's short-sighted, in my view ... what do you think?
By Winter Patriot on 7/26/2006, 3:47am PT  

Guest blogged by Winter Patriot

A vigilant BRAD BLOG reader (here's a tip of the hat to sorseress) has sent me a very interesting editorial from Tucson, and asked me what I thought. What an invitation! I've been following the discussion, but I'm no expert, especially compared to Brad --- not to mention some of his readers! So I figured I'd post a link and quote some quotes and share some of my reactions, and ask you whether or not you agree.

I'm especially serious about this next bit: your opinions --- pro or con --- are most welcome in the "comments" section of this thread.

OK? Here's the editorial, from the Arizona Daily Star and azstarnet.com:

Touch-screen voting machine needs an OK

Our view: Supervisors should approve use of the new equipment for the Sept. 12 primary, barring demonstrable flaws.

I suppose everything hinges on what you mean by "demonstrable" ... and what you mean by "flaw" ...

So here are my questions: Demonstrable flaws in what? How many flaws? How serious do they have to be? And how do they have to be demonstrated?

In my nearly frozen opinion, one serious security flaw should be enough to disquailfy any machines and/or any vendors from consideration. And I would like the flaws to be demonstrated elsewhere, please! After all, isn't it easier to learn your lessons the easy way --- by watching what happens when somebody else makes a mistake?

But let's not get ahead of ourselves here: that's just the headline: Here's the bulk of the editorial:

Tucson, Arizona | Published: 07.24.2006

The Pima County Board of Supervisors should approve the use of touch-screen voting machines for the Sept. 12 primary election.

On June 6, the five-member board approved buying — but not using — 409 Diebold Elections Systems machines. The county bought one machine for each precinct because it had to spend $2 million in federal money to be in compliance with the Help America Vote Act.

So far the Board seems quite sensible; they had to spend the money so they spent it, but they didn't actually have to use the machines, so they haven't ... so far!

The Diebold product was purchased at the Arizona secretary of state's insistence because the county uses the company's fill-in-the-bubble optical scanners.

Aha! I know this story. This is the one about the man who dove headfirst into the quicksand because he had accidentally touched the sand with his toe!

I've seen this movie before. The poor fellow dies. Such a shame!

Voter fraud potential, unreliability, inadequate system integrity, security risks and unanswered questions were among the concerns cited by citizens and groups such as Arizona Citizens for Fair Elections. Two supervisors, Republican Ray Carroll and Democrat Richard Elías, voted against the county's purchase of the touch-screen machines.

Three cheers for the concerned citizens and groups, and three more cheers for the supervisors who voted against Diebold machines.

With the approval to buy the touch-screen equipment came a directive to the staff to thoroughly test the machines before the supervisors would consent to their use.

Rightly so, in my view. But do the staff --- or the supervisors --- know what to look for? And do they know where to look for it?

In a July 2 editorial, we asked that the county be exhaustive in its scrutiny and in replication of as many scenarios for fraud as possible.

Personally I support that position. Who wouldn't? ... ok ok ... I know who wouldn't ... but let's not go there.

Oh, no... let's definitely not go there!

On Wednesday, County Administrator Chuck Huckelberry issued an attachment-laden 50-plus-page memo to the board recommending that it authorize the use of the touch-screen devices.

The County Administrator has a wonderful name but I can't say the same about his position on this issue. On the other hand I do recognize his tactics. A great big thick stack of documents and an urgent demand. We read something about that in Information Warfare 103, if I recall.

Packed with news clippings, security recommendations, flow charts, checklists and analysis, the memorandum indicates that by incorporating the rigorous security measures that the county staff has outlined, the machines should be good to go, with early voting beginning Aug. 10.

Oh, yeah, GOOD TO GO. Oh yeah, SHOULD BE. It seems to me I've heard that song before / it's from an old familiar score ... Sammy Kahn, wasn't it? Wonderful! But I digress...

I have no problem with rigorous security procedures. My problem here is with the difference between theory and practice. In other words, you can plan and test for everything imaginable, but that's no guarantee that you've checked for every possible security loophole. Just one loophole can compromise the entire system. And it's hard if not impossible to test for all of them, because Diebold machines run "proprietary software" ... we're talking about secret code!

Not secret code like spies use! I mean the instructions that the computer follows. That's what we call "the code". The computer does whatever the code tells it to do. And in the case of Diebold machines, the code is secret.

It's proprietary, it's protected, it's a trade secret, and blah blah blah ... the sad fact is: nobody can inspect this code to see whether it makes sense; whether it is designed in a purely vote-counting way, with no shenanigans --- whether it's designed to ensure that no shenanigans are possible. That's what I would want to see: the code! And that's what I would want to look for: shenanigans. But the county inspectors can't do that. They can't see the code. They can only poke the machines in certain ways and see what happens. You could never do exhaustive testing that way --- not with any non-trivial machine --- and certainly not before August 10th!

An infinite number of monkeys could not poke these systems enough to validate the entire range of their behavior. Sad but true. So a few county testers, working for a few weeks ... haven't got a snowball's chance in ... Arizona ... of covering all that ground in such a short time!

I don't mean to be alarmist, but I'm a computer programmer when I'm not blogging, and I know enough about security to tell you that this chain is only as strong as its weakest link ... or maybe I should say the wall is only as strong as its weakest brick. In any case, one security flaw is (or should be) way too many.

In other words, if there is a single security hole anywhere in the system --- and nobody thinks to test for it --- that flaw would be enough to put all elections run on those machines at risk. I can feel the quicksand between my toes, just from writing these words.

The board will make its decision at a special meeting in August. The equipment and the security measures will be demonstrated during that meeting, Huckelberry said.

Am I justified in my suspicion that the special meeting will feature a highly-polished yet smoothly deceptive presentation from the "good" folks at Diebold?

Among the standards that must be in place are a secure chain of custody. Only scrupulous attention to who has access to the new equipment, and when, can eliminate the potential for tampering.

Well, yes, but as we have recently seen in California, the mere presence of stringent laws and regulations means nothing if the laws are not strictly enforced. We've seen case after case where laws that are not enforced are not obeyed. And who can wonder? If there's no one to prosecute the offenders, then what?

The state of Utah could be viewed as the beta group for the new machines. Among the memorandum's attachments were comments and news clippings from Utah, which used 7,500 Diebold touch screens in its June 27 primary. The Salt Lake Tribune reported that voters found the equipment surprisingly easy to use. No accuracy errors or fraud incidents were reported.

That's not a big surprise, and unfortunately it doesn't prove anything. Most of the time, the fraud --- if there is fraud --- is (or would be) impossible to detect. It looks like voting, and it feels like voting. But what if it's not?

As we also noted in our July 2 editorial, new state legislation created an audit system to check elections that addresses some of the concerns about touch-screen voting machines.

I applaud an audit system but I beg you to find me an auditing system that cannot be gamed --- especially when the vendor considers that not only the code but also --- outrageously! --- the data is "proprietary"! In other words, if I knew that a particular vendor had told a particular state that it couldn't release the data from the 2004 presidential election because doing so would jeapordize its readiness for the upcoming primaries, I would have to think long and hard about whether I wanted that vendor to see a nickel of my money. Maybe I'm crazy, but if I accidentally dipped my toe in quicksand I would get myself out of there as quickly as possible.

Under the new state law, after the polls close, 2 percent of the precincts in each county will be selected at random and the ballots will be hand-counted in three races. If the hand-count and the machine-count do not match, there will be a second hand-count. If the disparity remains, there will be a full hand-count that may or may not be limited to a single race.

This is good but it's not enough. Suppose there's a recount but instead of ramdomly selected precincts, the recount only touches a few carefully selected precincts? And a few carefully selected races? Suppose there's a recount and the vendor sends in a technician to tell the recounters what their totals should be? Crazy?? Yes, of course it's crazy. And I would never dream of mentioning it. Except that it's happened already. Both of these sorts of things happened during the so-called recount in Ohio after the so-called presidential election of 2004. So there's no guarantee that it can't happen again.

Paranoid? Do I sound loony? Maybe I do, but maybe that's because I've been reading about these Diebold guys --- and their machines --- and their shenanigans --- for a long, long time. I wouldn't trust them --- or their machines --- any further than I could throw them. And I would always be on the lookout for shenanigans.

Voters will also get a chance to confirm their ballots with the new equipment. In our July 2 editorial, we pointed out that a voter-verified audit trail is required in Arizona. After a ballot is complete on the touch-screen machine in the voting booth, the voter must ask for an electronic summary or, for the visually impaired, an audio feedback.

Hooray for the voter-verified audit trail! Hooray for Arizona for requiring it! But I still don't trust the system. And I still don't trust the vendor.

I also don't understand what would be the matter with having a provision for blind (or otherwise challenged) voters permitting them to bring a trusted friend to help them vote. I don't mean to minimize the difficulties of voting for blind and otherwise physically disadvantaged voters, but also I don't want to put our elections in the hands of known criminals just because blind people cannot see paper ballots. Whatever happened to the maxim that the remedy should suit the problem?

The county staff has been diligent in its testing of the equipment. Unless there is demonstrable evidence of flaws in the new system, we recommend that supervisors approve the use of the new equipment.

But ... but ... but ... even if there are no obvious flaws with the system, as tested over the next few weeks and demonstrated at the special meeting, what if there is considerable --- no! undeniable --- evidence of flaws --- and fraud --- in the history of the vendor? Should we base the entire decision on the system that will be tested by the county testers and demonstrated at the big dog and pony show, I mean special public meeting? Don't we want to stop and consider the source here?

We're talking about the manufacturers of the least secure elections system anyone has ever designed --- or probably ever could design. Doesn't that matter?

We're talking about a company whose software is not only secret but was probably designed by a sophisticated trickster who has been imprisoned for multiple counts of computer fraud. Doesn't that matter too?

We're talking about a vendor who has left major security risks unrepaired and unreported for more than a year. Does that matter even a little bit?

We're talking about a vendor which has consistently refused --- or failed --- to honor its commitments to its customers --- boards of elections around the country --- and to the voting public at large. A company whose machines have been associated with one bungled election after another. Does that matter at all? Does it matter to anyone but me?

We're talking about a vendor which has a history of "bribing" Elections Officials and buying off Lobbying Groups for the Blind. Doesn't that matter? To me it matters a lot more than what happens in a few weeks of testing, and the upcoming dog and pony show combined!

Personally I would not be willing to consign even 1% of something this important to any company with a record like Diebold's. Even if the dog and pony show turns out to be a smashing success.

Nothing against dogs, or ponies. But listen:

I'm smart enough to run away from quicksand. And I'm in favor of fair --- and demonstrably fair --- elections.