Guest Blogged by John Washburn
Currently, the public portions of the top to bottom review published by California last week have rightly been the subject of banner headlines. A report from the University of Connecticut, however, which was entitled "Integrity Vulnerabilities in the Diebold TSx Voting Terminal" and released a few days prior with not quite as much fanfare, provides an excellent counter to the oft-repeated vendor talking point that the California testing is similar to "giving keys to a thief."
The University of Connecticut report is immune to this specious argument. The University of Connecticut team had no access to source code or any information which was not publicly available. These limitations are precisely what all three vendors defined as "realistic" in their testimony in California at the public hearing on Monday July, 30, 2007. Yet, under these vendor-approved conditions, the University of Connecticut found yet another set of new, serious, and election altering defects and was able to exploit them in a disturbingly effective manner.
The primary finding of the report is that in a "sleepover" situation where the TSx DRE is sent home with the poll worker days or in the case of San Diego weeks ahead of time, it is possible to alter the ballot definitions of the DRE. The alteration would create the behavior where the votes for two candidates are exchanged. Thus, the voter touches the screen next to name of John Smith, the screen lights up the selection for John Smith, the voter verifiable paper audit trail prints the name John Smith, but, nonetheless, the invisible electronic ballot accrues the vote to Pocahontas. Similarly, voters intending to vote for Pocahontas would have their votes accrue to John Smith. This is a straight up exchange of votes between two candidates.
The report also mentions how to suppress the display of a given candidate.
This exploit manipulates the ballot definition and nothing else. The successful exploits in the UCONN report take advantage of the fact that the ballot definition is split between the election database and the display portion stored the .XTR files, but without corresponding mechanisms to maintain referential integrity between the two halves of the ballot definition. The election database portion of the ballot definition controls how votes accrue to candidates based on the ballot line. The display portion of the ballot definition controls how names are printed on the screen and VVPAT record based on the ballot line. Both exploits introduce a referential integrity break between these two halves of the ballot definition.
In the example above, the election database has Pocahontas and Smith on ballot lines 5 and 20; respectively. By swapping the .XTR files, the display portion of the ballot definition has Pocahontas on ballot line 20 and Smith on ballot lines 5. Thus, a screen touch to ballot line 5 accrues a vote to the candidate assigned to ballot line 5. According the election database portion of the ballot definition, this is Pocahontas. The screen and VVPAT print the name associated with ballot line 5. According the display portion of the ballot definition (the .XTR files) this is Smith. Thus, both the screen and VVPAT say Smith, but the vote on the invisible electronic ballot actually accrues to Pocahontas.
- IF a VVPAT trail exists and,
- IF the VVPAT trail is undamaged
- IF an audit is actually performed, then, and only then,
would a careful audit of the VVPAT audit trail discover this manipulation of
the ballot definition.
The needed tools for either of these exploits are:
- 1) A laptop with a PCMCIA card reader,
- 3) The desire to "take one for the team" and commit a felony to further your candidate.
It must be stressed again that this all was discovered with nothing more than access to the DRE machine. This examination was under vendor-approved conditions. There was no access to any information an election official would not normally have or any information which a determined citizen could not find out during a DRE sleepover prior to an election.
The take away here is that if you can poison the well, the computer programming and/or configuration files in the DRE, everything which proceeds from the DRE is potentially corrupted as well. The UCONN report demonstrates the Diebold TSx DRE can produce consistent election records that are not accurate election records.