Guest Blogged by Michael Dean...
The software most likely to steal elections is the BALLOT DEFINITION SOFTWARE loaded onto paper-based optical-scan and DRE (usually, touch-screen) voting machines in county elections offices across the U.S. just before the machines are sealed with security tape and transported to election polling locations.
And yet, the frightening reality is that there is little or no oversight of that software itself, nor of the people --- usually sub-contractors, who could be anyone from a non-U.S. citizen, to a criminal, to a political party operative --- who program that ballot definition software. Moreover, there is little or no testing of such software, despite the fact that it stores the ballot positions for all candidates and initiatives on every ballot, on every voting machine, and tallies the votes for all of them on election day.
For all of the concerns about election fraud, via the electronic voting systems in use across the nation today, and the eye on the source code for the software itself, few seem to have their eye on the ballot definition software, which can --- even on e-voting systems where the hardware, and main program software has been tested, certified, and audited --- succeed in flipping an election without detection, either by error, or on purpose.
Concerned yet? Read on...
What is Ballot Definition Software?
Ballot definition software is constructed for each election and defines the ballot positions for each candidate and proposition for each voting precinct. Miami-Dade County in Florida [PDF], for example, has 750 voting precincts and usually requires several hundred unique ballot definitions for federal general elections.
As Ellen Theisen of VotersUnite.org attempted to warn in her 2004 study, ballot definition software creates the ballot image that people see on the screens of every brand of DRE/touch-screen voting machine. DRE/touch-screen and paper-based optical scan machines use ballot position coordinates, also coded in the software, to determine how finger touches on the touch-screen, or marks on the paper ballot, are mapped to candidate positions on the ballot. The software tabulates finger touches and marks on paper ballots as candidate votes and then stores those tabulated vote counts in the machine’s “virtual ballot box”, the data memory card itself. Finally, ballot definition software then tallies final election results when the polls close on Election Day.
Public Inspection of Ballots, Ballot Boxes and Ballot Counting
All DRE/touch-screen and paper-based op-scan manufacturers and vendors hold that all software, including the ballot definition software, is proprietary and confidential (a trade secret) and may not be inspected by county election officers, election judges, candidates or citizen election observers. Moreover, judges have accepted this proprietary and confidential argument.
For example, presiding Florida Circuit Court Judge William L. Gary denied plaintiff Christine Jennings’ motion to allow review of the software code for the DRE/touch-screen machines used in the contested 2006 U.S. House race between Democrat Christine Jennings and Republican Vern Buchanan for Florida's 13th district where 18,000 votes mysteriously went missing from the machines.
Many states have, within their election code, laws that give public observers the right to inspect ballot boxes to make sure they are empty and to inspect ballots to make sure they are accurate and complete before the polls open on Election Day. (Example: New Hampshire Election Code Section 658:36 Inspection of Ballot Box – At the opening of the polls, the ballot box shall be publicly opened and shown to be empty; and the election officers shall ascertain that fact by a personal examination of the box. eff. July 1, 1979) Many states also have within their election code laws that allow public observers to watch election clerks open ballot boxes and count the ballots at the end of the Election Day.
That ballot and ballot box inspection laws are on the books of most states --- due to a long and dismal history of election fraud, in both rural areas and big cities --- demonstrates that every election process used throughout history has been exploited by corrupt elements.
Ballots and ballot boxes constructed of software and silicon, therefore, are no different in practical purpose and democratic significance than ballots and ballot boxes constructed of paper and metal. Election inspection and observation law is the guarantee for democracy; The laws guarantee that election judges, candidates and citizens have the right to inspect ballots and ballot boxes and observe ballot counting as democratic insurance for fair and true elections.
Activist Judges, such as Florida Circuit Court Judge William L. Gary, who accept the voting machine industry’s "proprietary" and "confidential" arguments and rule that ballot definition software may not be inspected by county election officers, election judges, candidates or election observers, in fact, create new election law from the bench that runs contrary to ballot and ballot box inspection and ballot count observation laws already on the books of nearly every state.
DRE Voting Machines Used in Over One Third of U.S.
In the November 2006 general election there were 1,142 counties using DRE/touch-screen voting machines (36.63 percent of all 3089 U.S. counties) and 1,752 counties using optical scanners. This tabulates to 2,894 counties and 161,111 voting precincts that depended on ballot definition software written in the weeks just before each election.
Touch-screen voting machines are identified as direct recording electronic (DRE) devices because voter ballot selections on the touch screen are directly recorded as ballot tally counts on data memory cards. No paper ballot or other reliable record of voter intent remains after voters step away from DRE voting machines. When ballot tally count anomalies arise, such as in the 200 FL-13 race where 18,000 votes went missing from DRE machines, no ballot recount is possible.
In precincts using paper-based op-scan counting machines, voters mark paper ballots, which are scanned, counted and stored in actual, physical ballot boxes. Paper ballots, which remain after voters leave the polling place, can be hand counted and compared to op-scan tallies when, and if, ballot count anomalies arise.
For the 2008 primary and general election season, the use of DRE/touch-screen voting machines has decreased slightly, while the use of optical-scanners has increased across the U.S. While the numbers have shifted slightly over the past two years, the total number of election jurisdictions using some type of electronic machine running ballot definition software at polling places or the central elections office for ballot tabulation continues to increase.
Who Creates Ballot Software for Each Election?
The task of creating ballot definition and tallying software is so large and complex that many counties contract the work to voting machine vendors or consulting/programming companies. Most vendor and consulting companies themselves do not maintain a staff of programmers large enough to write all the ballot definition software for all the voting precincts of all their county elections office customers across the U.S. Therefore, the work is often assigned to yet another layer of temporary or sub-contracted programmers. These sub-contractors may, or may not, be U.S. citizens.
Who checks the credentials of all these contract programmers writing "last minute" ballot software? Who asks if contract programmers work for a foreign government, other foreign interest, political party or candidate up for election? Who asks if they have criminal records? Who checks to make sure they do not have connections to a Karl Rove-type political operative? Who performs detailed audits or certification testing of the ballot definition software they write?
The frightening answer to all questions is - no one!
Who Certifies that Ballot Software is Error Free?
You'll not like the answer to that question either.
Paper-based op-scan and DRE/touch-screen voting machines all have some form of firmware software that controls basic hardware functions and Operating System (OS) software, something like the Microsoft Windows system that runs on your home computer. Together, those elements provide the application system operating environment. Election Application System (EAS) software, which runs within the operating environment, supports and controls the operation of ballot definition software.
Voluntary voting system standards [PDF], developed by the U.S. Election Assistance Commission (EAC) and the National Association of State Election Directors (NASED), require that the specific versions of all software, including firmware, OS and EAS, that runs in voting machines on election day, must be subjected to a software audit and be stored in escrow.
The software packages that programmers use to create ballot definition software modules, however, are not subject to these auditing and escrow rules.
County and state election officials and voting machine industry representatives often insist that voting machine software is “certified” and secure because the Firmware, OS and EAS software has been audited (if meagerly, at the federal level) and is stored in escrow by a software auditing company. Even at that, not all states and voting machine manufacturers fully comply with the EAC and NASED regulations to audit the exact versions of software that run in voting machines on election day.
While some version of the firmware, OS and EAS software for some voting machine manufactures’ equipment may be audited and stored in escrow, ballot definition software, hurriedly written in the weeks just before each election, is not independently audited. Ballot definition software is not submitted to any independent testing laboratory for audit and often it is not directly tested [PDF] by county election officials, as VotersUnite's Theisen warned, to little notice, so many years ago.
Furthermore, memory cards/modules, on which ballot definition software is delivered to county elections offices, can also carry other software components that can update --- secretly, as necessary --- firmware, OS and EAS software as the ballot software is loaded onto each and every voting machine.
Even if the version of firmware, OS and EAS software installed on voting machines is the audited and certified version, such updates from memory cards/modules invalidate the audit, unless they have been scrupulously logged, audited and tested. But that doesn't happen.
County election officials across the U.S. all too often do not carefully inspect those memory cards/modules to know exactly what software components may be loaded onto their voting machines. In fact, it is the contractors who often load the memory card/module contents onto voting machines.
After elections, it has become nearly impossible for citizens to inspect those memory cards to ensure they were accurate, error and fraud-free, as we saw after New Hampshire's recent primary when even the candidates who paid for recounts, were denied the ability to inspect the memory cards used across the entire state to count some 80% of the votes.
Those election jurisdictions that do test their ballot definition software, often simply execute a testing procedure written by the same contractor that delivered their ballot definition software. Yes, the person that writes the ballot definition software often creates its certifying test procedure.
A few counties across the U.S. do construct their own test procedures to augment the test procedures delivered by their contractors. But even when these basic function testing procedures are executed, they are run in a “test election” mode rather than the actual Election Day mode, so the ballot definition software is never subjected to a true Election Day field test. For those who know how computer work, and how to hack them, it's a simple trick for malicious software to determine what day and time it is, and what mode the computer may be in, before determining if an embedded hack routine should run, or lay dormant until the moment it's actually needed.
For the 2006 general election then, some significant portion of 2,894 County Election Administrators implicitly trusted some programmer, likely unknown to them, to write 100% accurate, honest and bug free ballot definition software for their 161,111 voting precincts. Election Judges, candidates and citizens in those 161,111 voting precincts were not allowed to inspect the ballots and ballot boxes or observe the ballot count. Had the [DRE touch-screen voting machine] ballots and ballot boxes used in Florida's 2006 13th district U.S. House race been scrupulously inspected, perhaps 18,000 votes would not have gone missing on election day.
Is Ballot Software Safe?
After 50 years of software research and practical experience, computer scientists fully understand how vulnerable all software, particularly election software, is to inadvertent bug malfunction or malicious perversion. Given optical ballot scanner and DRE touch-screen voting systems use freshly written ballot definition software for each and every election, which at best is only lightly tested, computer scientists know with certainty the probability of software “bug” malfunction is extremely high where software is not rigorously audited, tested and controlled.
Yet county and state election officials and Judges who little understand the science of computer software, so far, dismiss all warnings from the community of computer scientists that the probability of inadvertent bug malfunction or malicious software perversion is very high for electronic voting systems.
Even when voting machine system error seems the more probable explanation when ballot count anomalies do occur, voting machine industry executives immediately threaten legal action against anyone connected to any attempt to inspect any part of the software ballot box.
So far, when ballot count anomalies arise, particularly in precincts using DRE/touch-screen voting machines, the courts have held that the corporate interest in proprietary and confidential software copyright laws overrides the public interest in election laws that mandate transparent public inspection of ballots, ballot boxes and ballot counting! Candidates and the public have no right to inspect DRE machine software ballot boxes. In precincts using paper ballots with ballot count op-scan systems, candidates and the public are at least able to inspect and recount the paper ballots when questions arise...presuming the chain-of-custody for those ballots has been secured, but that's another matter entirely.
The frightening truth is, local election officials often make no effort to rigorously certify that ballot definition software, freshly written just before each election, is accurate and bug free or that someone in the software chain of custody did not nefariously insert a few extra lines of software code that activates only on election day to flip votes or rig vote totals, before then self-deleting itself at the end of the election day.
The more that unchecked and untested software is used in the administration of elections, the more election officials --- and the citizenry who allows it --- hand control of elections over to unchecked and unseen computer programmers.
It is so easy for a political partisan or foreign government to entice or direct contract programmers writing or handling ballot definition software to stuff the software ballot box as they perform their legitimate duties. Even just a few motivated partisan programmers each working independently could easily throw an election! Worse, given that many of the systems in use today have been found as vulnerable to viruses as your home computer (arguably, even moreso, since they do not use anti-virus software with regular updates), it could require only a single programmer to flip an entire election.
Six years after George W. Bush signed the Help American Vote Act of 2002 (HAVA), allocating some $3.8 billion of taxpayer money, most of which was directed straight to electronic voting machine corporations, elections are less transparent and less secure than ever before.
DRE voting is more dangerous than paper-ballot systems because it opens the door to wholesale errors and cheating. A single bug, or malicious software instance installed by a single individual, can be distributed to thousands of machines, which could then undetectably change a very large number of votes. This is the opinion of such prestigious institutions as the Massachusetts Institute of Technology and the National Institute of Standards and Technology [PDF] and the Brennan Center for Justice at NYU School of Law [PDF] - (Press Release and U.S. Senate hearing Written Testimony).
A few states and counties, too few, have heard these warnings and are studying the possibility of switching back to a paper-ballot based election system.
Paper ballots are not a magical guarantee of accurate and fraud-free elections. Indeed, there is a long history of error and election fraud with paper ballots, but with DRE voting, where the software ballot, ballot box and ballot tally are hidden from public scrutiny, it is nearly impossible to prove, or even detect, systematic election fraud. With a hand-marked paper record of each voter's intent, along with laws already on the books of many states for public scrutiny of paper ballot election processes, we, the citizens of a free democracy, have at least a chance to detect and deter systematic election fraud through proper oversight and auditing of those paper ballots marked by voters.
We must also tell our elected representatives that they must enact laws to clearly mandate that the public's interest in election laws that allow for the public inspection of all aspects of our public elections, must override the corporate interest in proprietary and confidential corporate software copyright laws!
Michael Dean has degrees in computer science and business administration and has over 25 years of experience in the commercial systems software sector. Michael's background includes new software product development, technology business development and new technology business venture startup.