Guest Blogged from Sacramento by Emily Levy of VelvetRevolution.us (with assistance from Michelle Gabriel, photos by Bill Lackemacher of Sacramento for Democracy) from the public hearing on 7/30/07, called by California Secretary of State to receive comments on her landmark "Top-to-Bottom review" of the state’s electronic voting systems. No internet access was available in the hearing room, so I wasn’t able to live blog as I’d hoped. I did, however, take copious notes, which are posted in full below this brief summary.
ED NOTE: The video of the hearing, which was not easily available as it streamed live today, is now posted here and here. But I recommend Emily's detailed description below for a great deal of value-added content and perspective! And it's faster! - BF
Note: Story very slightly updated with some corrections in the spelling of names, plus one substantive correction regarding Jim Soper's testimony (the very last one in the entire article).
SACRAMENTO - California Secretary of State Debra Bowen made opening remarks, followed by an overview of the Top-To-Bottom Review by the chief investigator, Matthew Bishop, University of California Davis (UCD) Professor of Computer Science.
Following that, each of the three vendors whose machines went through the Top-To-Bottom Review were given 30 minutes to respond to the report. Diebold went first and only took about five of the 30 minutes, followed by Hart Intercivic and Sequoia.
I’m absolutely thrilled to report that Sequoia knows just how to solve the problems found in the Top-To-Bottom Review: California should just by newer systems from them!
After lunch was the public comment period, the longest part of the hearing. I’ve paraphrased and sometimes quoted the comments of just about every person who testified (including my own testimony). There were maybe 25 or 30 county election officials present, many of whom spoke. Freddie Oakley of Yolo County, an election integrity hero, spoke in favor of the Top-To-Bottom Review and said we bought these systems to accommodate voters with special needs and disabilities and “we have let them down in the most appalling way” by certifying systems with such obvious defects and continuing to use them despite those defects.
I believe every other elections official spoke critically of the Top-To-Bottom Review, most criticizing Bowen for not including county elections officials in the review, not reviewing policies and procedures as part of the Top-To-Bottom Review, and conducting the review in a laboratory setting rather than a real election setting. (I, in contrast, think our elections in recent years have been nothing but one giant beta test!)
It will take some scrolling to find my notes on the remarks of the many election integrity advocates who spoke. Most spoke late in the day, probably because they signed up later, after the pre-hearing press conference they held outside the Secretary of State’s office building. But it’s worth the scrolling, because many important things were said. Many of the EI advocates encouraged Secretary Bowen to decertify not just the three election systems tested, but all electronic voting systems. Many advocated for hand-counted paper ballots. Testimony was frequently backed up with credentials, experience, statistics and technical information. The depth and breadth of expertise in the election integrity movement continues to amaze me. (Note: I’ve posted my own comments in full because I had them available. If others who spoke would like their testimony posted in full, I invite them to paste them into the “comments” section of this blog item.)
Several people with disabilities and advocates for people with disabilities spoke. Some, notably Jennifer Kidder, spoke about the importance of election integrity. Kidder said, “The purpose of any equal opportunity legislation is to get marginalized voices heard,” and went on to note that this purpose is defeated if, after voting privately and independently, the vote of a disabled voter is changed by an electronic voting system.
Most of the people with disabilities and their advocates, however, cautioned against going “back” to paper ballots, saying that would be a move in the wrong direction in terms of the accessibility of voting systems. In general, they were supportive of the types of mitigations recommended by the accessibility team of the Top-To-Bottom Review, despite the findings that none of the systems tested actually met the federal accessibility standards as required by law.
Secretary of State Debra Bowen’s office is accepting public comments by email until Wednesday, August 1 at VotingSystems@sos.ca.gov On Friday, August 3, Bowen will announce what actions she will take in light of the Top-To-Bottom Review. We can only hope that she remembers why she was elected, and will take bold action to protect California's elections.
Detailed notes on the hearing appear below. Where I have paraphrased a speaker, I have done so in the first person, sometimes making my own [occasionally snarky] comments inside square brackets. I hope this isn’t confusing...
Secretary of State (SOS) Debra Bowen is making introductory comments. One system [ES&S InkaVote] not included in review because they were so late submitting materials. She’ll be dealing with that in the coming days. One regret about this project is time. Moving California’s primary to February is a good thing for voters who want a voice in the presidential race, but compacted the time for the Top-To-Bottom Review. Friday [Aug 3] is the legal deadline for her to make certain (unspecified) decisions. Refers to voting equipment “known to have unresolved flaws.” Waiting until 2010 was not an option.
Review is but one piece of the puzzle. Reviewers were not asked to do forensic analysis of past election, or look for malicious code, the classic needle-in-the-haystack problem. Time constraints didn’t allow for this.
Some of the vulnerabilities found may already be protected by already-adopted mitigations. Some are new and may be able to be mitigated as well. Security strongest when built in, which is why review looked at systems as they were certified, without mitigations. First determine whether system is secure, then determine if it can be made secure. If you have a leaky roof you can mitigate the problem with a tarp or buckets, but if you call a roofer out to take a look they’re going to look at structural integrity of entire roof absent buckets and tarps. Then you’ll have to decide if you want to pay to repair the roof, get a whole new roof, or whether you want to move.
We have to determine whether underlying problems can be corrected within constraints of certification process, whether they can be mitigated, or whether some are so serious that systems should not be used.
Top-To-Bottom Review is a means to an end: “We want to be able to have secure, accurate, reliable and accessible elections and we want to be able to verify them. We want to be able to have confidence in the results of the electoral process.”
Members of the Panel included:
Lowell Finley, Assistant Secretary of State
Judith Carlson, Elections Division Counsel
Bruce McDannold (don't know his current title)
Chris Reynolds, Dep. Secretary of State for HAVA activities
One other person on panel whose name I didn't catch.
Matthew Bishop, UCD Professor of Computer Science will be presenting the report. Announced that Prof. David Wagner would have been presenting on source code, but isn’t going to because that report has not yet been made public.
Presenting results from accessibility and red team reports only, not source code reports which Bowen is reviewing to make sure they don’t expose information that needs to be kept secure. There were two red teams, “Team Bob” and “Team UCSB.” Members names listed at Secretary of State website, "Top-To-Bottom Review".
Accessibility study: Reviewed all three types of voting systems. Goal was to identify whether systems were sufficiently accessible for voters with a range of disabilities and language access needs. They were also to look at possibilities for both short- and long-term mitigations. They did live subject testing with 45 test voters with a variety of disabilities and language needs. Although some of the systems could be used by some voters with a variety of disabilities, none were fully accessible for all voters with disabilities.
They looked at physical access, especially for voters in wheelchairs and voters with manual dexterity disabilities. Printers had negative impact on privacy and accessibility. Blind voters cannot directly verify the VVPATs ["Voter Verified Paper Audit Trails']. One system’s VVPAT blocked physical access to the machine. A simple short-wave receiver could be used to listen in on audio ballot on one of the systems! There’s much more. (See full report) Conclusion: The three tested voting systems all substantially non-compliant with HAVA and VVSG guidelines. Discussion of mitigations (see report)
"Red Team" [Hack] Study: Background about what a red team study is: People have said it’s like handing someone the keys to your car and inviting them to steal it. Not a good analogy. Better question is how can a thief steal a car if they steal the keys, or even without the keys? Specific goal of red team was to identify and document specific types of vulnerabilities. Attacks that could come from a voter, poll worker, election official, vendor, etc. Did not evaluate policies and procedures. Didn’t have the time, and each of California’s 58 counties have their own. Also even the best policies and procedures in the world are worthless if not carried out effectively.
With a couple of the attacks they did, it requires significant expertise to devise it but very little to carry it out.
The common belief that secrecy is protection is not accurate. It is in fact a very porous layer of security.
All systems used in elections in California have to be certified. Independent Testing Authorities [federal ITAs] do testing of systems to make sure they comply. Quality of standards is inadequate. Questions raised about the testing of the ITAs, in particular Ciber. There are issues in certification.
Concerns with this study: Time. We had five weeks, not enough to do a complete review, but we were extremely thorough with what we did. Also lack of info provided by vendors. One ballot box wasn’t delivered until July 18. This means that results of this study should be seen as a lower bound, what we could find under these conditions. With more time and more complete info, we may have been able to find more. “All team members felt that they would have found more.”
What kind of threats? Attacker modifies firmware. Inject firmware, then deliberate mis-recording of voter’s vote.
Time: 10:39a. Recorded description of firmware attack.
Election management systems run on non-secure platform (Windows.)
Sequoia: Breached physical security, overrode firmware. Vendor has proprietary operating system, which one might think would make it more secure, but we found the opposite. Testers were able to detect when system was in test mode and when in election mode. Able to access election management system and inject malicious software, could forge update cartridges and voter cards.
Diebold: Server was configured as it would be to a county, vulnerable to well-known exploits, compromised using widely-available software. Not all security related actions were logged. Physical security: bypassed locks, disabled printer but machine could continue to record votes. Default key is very widely known.
Hart InterCivic: A bit trickier because election management system could be installed with a variety of operating systems, so that wasn’t the best use of testers’ time. However, did find that they could get access to undocumented account. Able to override firmware and _____________ Tempest attack succeeded: an electronic listening device, standing well away from the Hart E-slate, could hear votes that voter was casting using audio access feature. He keeps saying read the public reports.
Both teams felt security mechanisms inadequate to ensure security and integrity of systems. Vendors should assume that systems used in completely untrusted environments, which would provide another layer of security. This is not an insult to anyone. Policies and procedures must be carried out effectively and should be part of design of the system, seen as an integral part of the use of these systems. For example, what if you depend on tamper-proof tape and an attacker buys some off the Internet? In general, security should be part of the design and implementation of system, not added on after the fact. Incompatibilities can cause extreme security problems. (Other recommendations went by too fast for me to catch.)
(I notice that Bishop is talking as if these systems are going to continue to be used. )
Tests like this must be done before certification by federal and state officials.
Lowell Finley: Asks Bishop to explain firmware. It’s the type of software that runs on these particular machines, the voting units and the scanners, touch screen, Hart E-Slate, Diebold AccuVote OS, etc.
(E-scan is an optical scanner system.) JVC (Judges’ Vote Control?) is the system that prints out access code for each voter.
Bruce McDannold: Asks Bishop to elaborate on potential consequences of overwriting firmware not just for current election but future ones?
Bishop: Programmer could allow system to be completely vulnerable. “A nasty person” could alter the firmware so wrong vote could be recorded, could change how things are counted, could flip election results, etc. Might or might not be detectable on paper trail. If firmware isn’t fixed, corrupted firmware would continue to run on that machine. This is an example of how crucial policies and procedures are.
Chris Reynolds: Asks clarification about attacks being difficult to design, easy to carry out.
Bishop: Carrying it out would require access to one point of election process to carry out attack.
CR: Asks if auditing is considered a layer of security.
Bishop: Yes. Audits should be designed in with the system as part of security mechanism.
McDannold asks about which attacks affect one machine, which affect more. Bishop says he can’t talk about that without going into the part of the findings that isn’t public.
Vendor Responses (30 minutes per vendor, then panel can ask clarifying questions)
Diebold, Hart, then Sequoia
Rob Norcross from Diebold Election Systems:
He’s reading Kathy Rogers’ statement, as she couldn’t get here because of storms in the southwest. He starts off talking about their system’s ability to reduce voter errors! They’re thoroughly reviewing report that they received Friday and will sit down with Secretary of State staff later in the week (I think he said after reviewing private portion of report.) Same old, same old about how they should have had a voting official involved in tests, all systems are vulnerable under these conditions, etc. Testing was not on most recent version of system. Diebold has upgraded software, which has been “federally certified but has not yet been certified in California.” “We are pleased to participate in the review. We enjoyed the cordial and professional relationship with your staff and members of the Top-To-Bottom Review team.” He spoke only a few of the 30 minutes allotted! (Can I have the rest of your minutes, Rob? There are a few things I’d like to say.)
Panel questions: How much different might results have been if done on most recent version?
Norcross: “Personally, I’m not sure.” (He got pulled in to read statement at last minute.) Many of the findings are similar to previous investigation of the system reviewed and have since been mitigated. [Trust us.]
E-slate first used in 2000 election. Now installed in 300+ jurisdictions nationally. In 2003 they noticed that public demanded higher security for e-voting systems. [I missed part of what he said.] “Systems security must be evaluated in terms of probabilities and likelihoods.” Higher security results in increased system costs, operating costs and complexity, “yielding reduced usability.” Talks about finding acceptable and reasonable balance. He’s complaining about the way the red teams did the Top-To-Bottom Review. [You can’t complain that someone breaks up with you, so you have to complain about how they did it, right?] “Electronic systems have typically been held to an absolute standard, which is unreasonable while vulnerabilities of other [methods?] have been ignored.” Hart analyzed security of paper ballot systems and, guess what? Found some vulnerabilities! (Distract poll worker, steal ballots, etc.)
He says, there can be stronger security, but will the increased complexity be understood? “Is ballot data public information? If so, can it be obscured from public view?” He says this is a question they’ve been trying to get answered for years and will probably eventually been resolved in court.
Hart would have preferred to have been given time to train red team on use of the system, including their system called “SERBO” (sp?) System verification is part of that and was apparently not understood by red team. He talks about something that nullifies the attack scenario that was used in the report. Didn’t quite follow it. (Time: 11:28a)
“It’s been a difficult couple of years for voting system vendors.” He complains that they’re being forced to work in a vacuum. “We need to come together and solve [problems] as one.”
“We have a duty to our customers and the public to protect the integrity of the system.” Who are their customers, again? I forget. Wants public inspection designed by Organization for Internet Safety. (What’s this?)
Vendors can’t pay for reviews as that will taint the outcome. Counties don’t have the money. They think philanthropic organizations should get involved.
Says there are errors and omissions in report that must be addressed before decisions made.
“This report is an important tool but must be used responsibly.”
Panel has no questions for him.
Sequoia equipment currently used in 21 of California's 58 counties. Begins by complaining about the environment in which the review was conducted, that it was a “worst case” evaluation, not a real world scenario. “The red team has no corresponding blue team,” “friendly study.” [Honey, you had that. It was called the ITA process!] Testing assumes insiders have unfettered access, which he says isn’t true. Cameras in warehouses, audit logging, laws that make tampering with election equipment felonies. [Nobody in the government would dare break a law, now, would they?] “All that we have proven is that computerized systems, removed from the environment and placed almost literally out in the street...” can be compromised.
Vendors clearly have another opportunity to give feedback to the Secretary of State's office.
Talked about how much there was a need to try the hacks in a real election environment. [Not that they’ve tested their mitigations that way or anything.]
Yellow-button attack easily prevented in a number of ways, disabling of yellow button, placement of machine for supervision by poll workers, placing physical seal over button to prevent it from being pressed until authorized, etc.
He says California's parallel testing deals with the issue raised by the red teams of their ability to determine whether systems were in test mode or election mode.
He’s going through the report, item by numbered item, and refuting things, talking about all the mitigations that mean the findings are, as far as Sequoia is concerned, irrelevant. Hard to follow without having the report in front of me. But it’s very detailed, and those who want to should try to listen to or watch his testimony and review it in detail.
He says it’s false that voters don’t check the paper trails. [see MIT/Caltech study showing most voters don't check paper trail; see Rice University study showing that two-thirds of voters don't notice electronic vote-flipping when reviewing their vote.]
He says it is impossible for malicious software to get into a system, mitigated by virus and spyware protection.
“Sequoia concludes that none of the threats outlined represent a realistic threat if [security measures available are in place].” [Note: see comment below about Alameda County.]
[Oh, now he has a great idea! All these problems should be fixed by...(drum roll, please) buying updated systems from Sequoia! I feel much better now.]
LF: Are you familiar with videotape that was made of first use of Sequoia VVPAT in Nevada in 2004? [response: yes] Are you aware that elections officials in California agreed that a significant number of voters did not look at the VVPAT? [response: not aware of that]
Public testimony will be after lunch. [Doing my best with the spelling of people's names. Apologies for errors.]
Speakers from the public are given three minutes each, but some people signed up and then ceded their time to other speakers.
Blind computer person, worried about security, preserving our democracy. I know there are going to be some blind groups here who don’t care as much about security as whether I can cast my ballot independently. I’m more concerned about security, including internally. “It’s more important that our votes are counted correctly than whether I cast one on an absentee ballot or machine, or whether I cast one with assistance.”
Former CA election administrator for 15 years. Understands concerns of RoVs today that machines may not be able to be used. However, the reason they may not be used is critical. Machines sold to counties based upon false representation that they could be used for the purpose for which intended, honest elections. The vendors knew or should have known that their machines were never safe from hacking. I believe firmly that the RoV’s have right to return machines to vendors and to get full refund of the purchase price. Non-computerized, affordable machines are available and there’s time to use them by next election. Op-scans could be used to count these paper ballots. “I urge the Secretary of State to ban these corrupted computerized voting machines for use in any election to be held in the state of California.”
Top-To-Bottom Review much needed. Retired electronics engineer/computer consultant with 20+ years working with disabilities community. Involved in Logic & Accuracy testing of voting systems in his county. HAVA does not mandate purchase of e-voting equipment. We need to know how helpful HAVA equipment has been with voters with disabilities.
President of California Assoc. of Clerks and Elections Officials. Asks county clerks to stand up. Maybe 25-30 of them. Some will be speaking. He supported the idea of Top-To-Bottom Review before primary was moved. Says we lost opportunity to do methodical process. Says they offered to help and were excluded [NOTE: Bowen also excluded herself from the process so that her bias would not effect the outcome]. Says Top-To-Bottom Review “more about headlines than legitimate science...” If source code wasn’t reviewed, we’ve missed an opportunity and created a public policy blunder. People deserve to know if there’s malicious code in our systems in California. Complains about how study was conducted. The public has been deprived of knowing what real world issues are since testing was done in laboratory setting. Previous studies have shown that machines have counted the votes properly. This was not a comprehensive Top-To-Bottom Review. Unhappy that RoVs, who he says represent poll workers, were not included. There’s not one shred of evidence that one voter has had their vote compromised. There’s no smoking gun here. [That’s part of the problem, dude.] He does think there are some good ideas in the report.
Contra Costa Co. Assistant Registrar of Voters (RoV). Because Top-To-Bottom Review didn’t take procedures into account, public is left with “the false impression that undetected tampering is possible in an election.”
Riverside Co. “Please decertify the Sequoia voting system used by our county.” We cannot rely on election workers’ integrity. He worked on auditing paper receipts from 2006 election. “I was shocked” at the discrepancies we found. (Missing cartridges, etc.) 21% of precincts had serious problems, only 6% were complete. This situation has not resulted in any disciplinary action. (“You’re doing a heckuva job, Brownie,” Greg Taber quotes.)
Elected County Clerk and RoV in Shasta Co. No election officials included in review process. Could have helped particularly in accessibility report, because they know about how they help with some of the things that were found to be problems. Mentions that machinery her county received in 2003 was noted in the review as apparently new and not in use by existing systems. This goes to show the lack of context in which some of these tests were performed.
Open Voting Consortium. You’ve got the patient on the table and it’s cut open. You can’t just stitch it back up. “The patient on the table is democracy herself.” “The public has a right to all the information about how the voting system works.” “Should we continue with a voting system that protects trade secret [methods?]” Or should we move to a completely public system? “We are done with secrets. We need a solution.”
Open Voting Consortium. Submitted a statement by Jim March saying that this situation needs to be brought into the realm of criminal justice/consumer fraud. Brent says get rid of propriety systems, have hearings on open source, paper ballot systems. Discusses Open Voting Consortium and Open Voting Solutions. “There is no way to tend to the fixes.” “Now that we’ve confirmed the vulnerabilities we must seek solutions.” Says hand counting is part of open source systems.
Thank you for the strength and courage that has brought you to this moment.
I fear that, even after months of testing, there's still an elephant in the room that has not been tackled. Even if you and your staff could plug every hole in physical and software security, and the voting systems were made fully compliant with the accessibility requirements of HAVA, it would still not be safe to use these systems. Why not? Because even if they were absolutely protected from hacking, the systems and therefore our elections could still be rigged. There is no way to provide an absolute safeguard against electronic voting systems being delivered to the counties and presented to the voters already compromised. For this reason alone, these systems and others like them must never again be used in our elections.
The irresponsibility and lack of ethics of the vendors has been amply shown:
They have misrepresented their products.
They have installed uncertified software.
They have cut corners in developing the security of their systems.
Clearly they are not guided by ethics or commitment to the public good. Clearly they have other priorities.
Is it so unbelievable, then, that they might rig an election?
We shouldn't be thinking of how we can make these systems work, we should be thinking of how we can make our elections work.
We have a crisis in voter confidence that can only be solved by creating a true basis for voter confidence. Only transparency and public involvement can save our democracy now.
Perhaps more than any other human being in this country, you, Secretary Bowen, are in a position to take bold, decisive action that will reverberate around this nation and turn it in its tracks. The next step is to decertify these machines, to send these vendors packing and tell them not to come back. Not with another promise, not with another model, and not with another roll of toilet paper.
The people of California, the people of the United States, the people of the world are counting on you.
Talks about discrepancy between software in escrow and software in use. [I'm still shaking from speaking truth to power, so can’t quite hear him.]
RoV of Trinity Co., using op-scan and Diebold TSx. They’re on their 3rd variety of touch-screens. Pleased to see reviews being done, wishes they’d also reviewed procedures because that’s where he needs help. Testers said that with more time they think they’d have found more vulnerabilities, and he’s concerned that they’re going to mitigate what they found and it won’t be enough. Agrees that policies and procedures should be considered a part of the system. Should look at these and see if they mitigate the vulnerabilities that were found.
Another election official (missed his name)
If Bowen decertifies machines and the elections are a mess it will be her fault.
[not sure if the following is the same person or the next speaker]
RoV/Recorder/Co. Clerk in L.A. County, before that San Diego, before that Dallas. Notes that report done in absence of mitigation strategies. No assessment of likelihood of voter going into polling place with common office tool or what poll workers might do. No comparison with paper ballot systems, ease of ballot box stuffing, ease of “attempted fraud.” “Handling paper is really difficult in the electoral process.” We need to move forward. HR 811 and S. 1487 would mandate paper trails and manual auditing that California already doing. Says David Jefferson called her to ask about manual auditing process in L.A. Their November 2006 audit involved hand-counting half a million to one million votes (I don’t think she means that many ballots, but counting each vote on each ballot as one vote.) Cost was two hundred something thousand.
New RoV in San Diego Co. [and former Diebold sales rep!] San Diego Co. has successfully run its elections using Diebold systems. [Finally some news!] “San Diego voters have expressed confidence in their voting system.” There are nine voting systems in use in state and only three were tested. What if the vulnerabilities in the other six systems are greater than the vulnerabilities of those tested? She’s concerned that Bowen’s going to decertify the systems that were tested and leave the other systems in use, it seems. [I agree that wouldn’t make sense.] “It’s important to note that no malicious code was found during the review.” [I believe they didn’t look for it either, but no need to mention that.] Refrain from taking precipitous action until all systems reviewed and security measures are made a part of that review. Institute parallel monitoring. Send Secretary of State staff to county offices to work together. And a few other recommendations.
San Diego Co., volunteer poll worker. Hand counting would take three and a half to four hours, poll workers can’t do that after already working a long day.
(missed his affiliation)
“The right to a private, independent and verifiable method of voting must not be sacrificed in the attempt to resolve the outstanding issues with respect to ...DRE machines.” The Top-To-Bottom Review fails to consider the legal rights of voters with disabilities. Recommend temporary certification of all systems. No one’s working on accessibility of VVPATs to blind and visually impaired voters. A timeline benchmark approach is the prudent way forward.
Lassen Co. Clerk/Recorder/RoV. We take our jobs very seriously. No matter how hard the job gets, we always get the job done. [This really is commendable. Absolutely.] “Please don’t throw the baby out with the bathwater.”
Chief Info for Alameda Co. for over 20 years, now RoV. This is too important to rush. Talks about the security of the vote counting room. (If you picture the opening credits of “Get Smart,” you’ll get the idea.)
Clerk of San Luis Obispo Co., restating stuff said before.
Clerk/Recorder/RoV of Yuba Co. adding her voice to the consensus (so far) of the county clerks/recorders/RoVs who have already spoken. “Credibility and trust does not come from chaos.”
Horrified with what’s happening with our voting systems. Credibility is shot. Companies are compromised. Machines are compromised.
Election Integrity Committee of San Mateo County Dem. Central Committee. Mentions Ohio, Sarasota. Cozy relationships of vendors and county officials, voting machine sleepovers with pollworkers/breaking chain of custody, election certified in San Diego before votes actually counted. Need audits with 99% scientific certainty. Attention to chain of custody. “Voters deserve complete assurance that every vote is counted as cast.” Talks about how hugely expensive these systems are and how they are draining local coffers. “This democracy belongs to the citizens and the voters of California. It is not for sale.”
Another RoV, missed which county. We do have a bit of a Catch 22. We should respond to the reports but the detail we need hasn’t been released, and rightfully so. No risk assessment has been done. Brings political posturing and emotional responses without practical value.
(Missed which county) Center for Independent Living. Don’t rescind certification. Accessibility is not perfect but is greater than we had with previous systems. Decertification would be a step backward. She recommends that all types of systems that come to California go through accessibility testing and says that AutoMark hasn’t.
Colorful description of what a mess things actually were in polling place she observed. Presents a pile of petitions.
RoV, Santa Cruz Co. We’re all in same boat together. We conduct ourselves as nonpartisan caretakers of our democracy. Talks about what public can observe. We are passionate about the elections process and precious gift of voting. Want everyone to vote. Feels frustrated when people don’t vote because they think their vote won’t count. She’s confident in Sequoia system used in Santa Cruz Co and says "I can guarantee that every eligible vote is counted accurately". [Oh, really?] Talks about recent grand jury investigation of Santa Cruz Co. voting system and concluded that system is fair, accurate and secure.
Elected Clerk/Recorder of Yolo Co. representing voters in her county who appreciate Top-To-Bottom Review. She believes it truly has support of her voters for the Top-To-Bottom Review. Compares the last few months to “an annual physical after you’re 50.” They let you know what’s wrong and help you lead a better life (quit smoking, get exercise, etc.). Now we know what’s wrong, to some extent, and can make a plan to fix ourselves. I was skeptical about these systems anyway. And I’m truly shocked at the accessibility report. Legs on booth aren’t far enough apart to meet minimum standards for ADA. We bought these systems to accommodate voters with special needs and disabilities and “we have let them down in the most appalling way” by certifying system with such obvious defects and continuing to use them despite those defects. Thanks Bowen and also the other clerks.
Clark Boots [Beautz?]
Placer Co. (director of info or something) Encourage Secretary of State on mitigation policies and procedures before making any decisions.
Election Services Coordinator, Santa Clara Co. We all need to smile. This is an opportunity to show off what we do and strengthen the numerous safeguards we already employ.
Next up is the Placer County group, which signed up for and ceded to each other a total of 45 minutes
[couldn’t hear names of some of the speakers] Security of our voting systems much be considered in the context of policies and procedures.
_____, Asst. Registrar/Recorder, Placer Co., Diebold county. “We are sworn to protect and defend the Constitution of the State of California and the Constitution of the United States.” We take that seriously.
[Placer registrar, I think]
Nobody’s ever come to Placer Co. to look at my procedures. “Should you trust me? No. I’m an insider. I need to earn your trust.” I’ve never been a fan of touchscreen voting, not because it doesn’t work, not because it doesn’t count properly.” It’s expensive. But I wanted my disabled voters to be able to vote. So I had focus groups of disabled voters in my office. System of choice we’ve heard of, AutoMARK, I found it had a lot of problems and it was the worst-rated system of my disabled community. They chose a touch-screen system.
[end of Placer Co. group]
I’m a registered voter in Alameda Co. Thanks Bowen for Top-To-Bottom Review and for the audit working group report. Importance of serious and well-designed audits, should be as good as those used by banks and casinos. It makes no sense for RoVs to audit their own activity/performance. Need serious, professional standards. Talks about “risk-based approach.”
RoV Orange Co. Hart InterCivic. Applauds Secretary of State for her efforts. In Orange Co. we have had some of the closest races in California recently, one election 13 votes apart, one 3 votes apart. We really have gone into a hand count scenario. We found the count “on the paper ballots” to be 100% accurate. [A judge ruled the county did not need to recount the DRE "paper trails", only the paper ballots, in a recent election contest decided by 3 votes.]
Concerned Citizen of Oakland, Alameda Co. We’ve heard over and over about how mitigations were weren’t part of report. We’ve heard about tamper-proof seals and how poll workers are trained to look at them and take action if they’re tampered with. Two poll workers testified that training didn’t teach them to check the seals. The gentleman from Sequoia stated that of course people look at VVPATs. Notes studies showing that’s not true. “These mitigations don’t make me feel secure.” If a seal is tampered with and you take the machine out of service, will you count the votes already on it or not? I want you to think about denial of service attacks, not just changing the votes but annihilating the votes. ES&S source code taken out of escrow didn’t match what was in use.
Sharon Graham [Brown?]
Sacramento. One technology not discussed here today is hand counted paper ballots. Reads part of the petition presented by Dr. Judy Alter. Open system, hand-counted paper ballots, counted at precinct level.
Concerned citizen. Every time the vendors come and talk about software versions, it’s always a new version no one has seen. That makes me skeptical about whether my interests are being served. To me it comes down to money. I’m glad for the Top-To-Bottom Review. I have a lot of confidence in my Placer Co. registrar. People of color have been told that there were no problems with our votes being counted, yet it has become documented that there were problems. I’m asking you to take seriously the red teams’ concerns and to implement a lot of security mitigations. We need standardization all over state. “We are all in this together.” The vendor referred to his customers. We are his customers. We are the voters of California.
California Voter Foundation, CalVoter.org. This review benefits not only California voters but voters nationwide. Florida and Ohio and NJ are doing similar studies. I’m particularly concerned about Diebold TSx has remotely accessible Windows account that can be accessed without a password. Also firmware for boot loader in Sequoia system can be overridden. These are serious risks that need attention. Security cannot be dependent on procedures. Local procedures vary widely, it’s difficult to oversee all of them. We know poll workers can’t keep an eye on everything. Bowen will need to look at both short- and long-term solutions. Short-term risk mitigation and long-term overhaul. Report at her website about new study for strengthening California's manual count process. (Somebody post a link to that please.)
Napa Co. Assessor/Recorder/RoV. We bought touch-screen machines after 17,000 voters chose them unanimously. There has never been a question about their reliability. [Time to start askin’!] California's 1% manual tally have proven results accurate. Top-To-Bottom Review no relevance, waste of money. Refers to Kevin Shelley’s “decertification fiasco.”
Enthusiastic support of Bowen in taking bold strong action. Speaking as a disabled person who needs assistance and accommodations different from others in order to give me an equal opportunity for success. The exercise of voting is for the purpose of having our voices heard, not for the experience of the exercise of voting itself. The purpose of the secret ballot is to combat intimidation/coercion that could result in a vote being stolen. If the vote can be changed after it’s voted, the exercising the right to vote is useless. “The purpose of any equal opportunity legislation is to get marginalized voices heard.” I do not trust any secret software, privately owned, to accurately or honestly express the voice, true intention of disabled voters, including myself. I want the assistance to come from a human being I can communicate with and do trust, not a private corporation whose motive is profit, not my interest. Advocating for hand counted paper ballots, where all can vote and witness the counting of the vote. Public elections cannot be under the control of private companies.
Many thanks to Debra Bowen. Alameda Co. Any kind of code could be hidden in these machines and it would be practically impossible to find it. Exit polls are extremely accurate. Some European countries with Hand Counted Paper Ballots use exit polls to declare winner before ballots completely counted because they are so accurate. It’s been said there are no smoking guns. The exit polls are smoking guns. In 2004 the exit polls in all the swing states showed Kerry winning, then all switched over to Bush outside the bell curve of possibility. I don’t trust voting machines because I can’t check how my vote was recorded or tabulated. I am most concerned about secret malicious internal code, not the hacking.
Software consultant and programmer, election integrity advocate. “One American, one vote, counted as cast.” That’s the motto of my website, CountedAsCast.com. California state law says these machines must be safe from fraud and manipulation. Slot machines are still more secure. Addresses issue of red team having asked for the source code. For Sequoia they didn’t need it because they could do everything without it. For Diebold they had it because it’s on the internet. They had no access to the source code for Windows or Microsoft databases and they were still able to succeed in attacks. This scares me the most. They didn’t need source code for that. They opened machines, keeping security tapes in place. When parallel testing was used, the machines were selected for that before the election. This is not a random or accurate test. Must be random selection of the machines on election day. Lists problems ranging from Monterey Co. registrar now in jail to hundreds of missing memory cards in Chicago, to machine sleepovers. Registrars say they want a real world test. But in Alameda County the Board of Supervisors approved a red team test and the Registrar stopped it. He thanks Debra Bowen very much for doing what she was elected to do.
Disability Rights ____ Center in L.A., a law firm. We need secure, accurate, reliable and accessible systems, our primary concern is possible disenfranchisement of voters. Much needs to be done to increase access. Let’s not throw out the baby with the bath water. Don’t turn back in time and deny fundamental rights to people with disabilities who want to participate in our democracy.
Protection and Advocacy (working with people with disabilities) We agree that short-term strategies could mitigate accessibility problems. We don’t believe in decertification without acceptable and ready replacement as it would disenfranchise voters with disabilities. For long term, actively seek out and develop new voting systems.
This is the most important hearing that’s been held in California in ten years. Whatever computer you use, it’s going to be vulnerable even to the army of teenage boys. Given that, imagine what a company with the power of Diebold could do.
Wellstone Democratic Renewal Club’s Voting Rights Task Force (VRTF)—submitted prepared testimony and spoke ad lib. At last week’s U.S. Senate hearing on Feinstein's S.1487, [a rep of some computer agency] testified that upgrades take 54 months. Are we to wait that long? Doug Jones of the University of Iowa has a patent on a an assistive device. This should be looked into. Also VotePAD and EqualiVote. The Alameda County RFP [Request for Proposals] included a question to Sequoia about what kind of security check it did on its employees, and the response was basically it’s none of your business. In Riverside election results posted online, there were four precincts with zero registered voters and one vote for governor. These machines are not accurate. ...We need to decertify the DREs. Mitigations are not enough. In February '08 primary election, allow one DRE per polling place for minimal HAVA compliance.
RoV San Bernadino Co. Elections officials are dedicated and ethical individuals. My co. has only 700,000 registered voters. We were first county in California to implement paper audit trails. Voters are confident with the system. Free access is not permitted to any voting system components. Our goal is to continue to conduct successful elections.
Riverside County group:
RoV of Riverside Co. Riverside Co. was first county in nation to deploy touchscreen voting county-wide. There have been no errors or defects in any election. [Election Integrity Advocates in the county suggest otherwise] No attacks reported in Riverside Co. or elsewhere. Our voting system performed with 100% accurately. Voter-requested recount has never changed results of an elections. Voters can choose paper. [No mention that county officials then re-create their votes by punching them into the touchscreen machines, as previously reported on BRAD BLOG.] It is ironic that election integrity advocates that so aggressively pursued paper trails now want to abandon this technology.
Problems with methodology of Top-To-Bottom Review, no looking at policies and procedures. Calls it a no-win scenario for the systems. There’s never been a documented case of electoral fraud anywhere in California.
Election Defense Alliance, California Election Protection Network. Emphasis today has been on hacking from the outside. Greater danger is inside hacker, uncertified software patches, etc. Voting systems are about two years behind current security requirements. ES&S and Diebold software have common ancestry that includes people convicted of serious crimes. It’s been said that systems 100% accurate. How would we know? When has there ever been a thorough hand-counted audit? One percent audit is not statistically significant. Ballots must be hand-counted in precinct on election night, before they leave the purview of the citizen counters. He reads some quotes from Tom Courbat of Riverside Co., but too fast for me to type. The gist is that they shouldn’t deal with the problems by adding more layers of requirements that counties will have to follow.
Voter from San Mateo Co. Voting process must be transparent and simple enough that ordinary people can understand how it works. How can we know that systems are working with 100% accuracy. How can anyone make a statement like that; you lose credibility by saying that. We need paper ballots for full transparency. Not machine-generated paper trails, which are frequently ignored by voters and there’s no assurance that what’s on it is the same as what is counted. Vendors claim newer versions of their systems deal with the problems. This could be an endless cycle, with counties just having to keep buying newer systems from them. Mentions Busby/Bilbray election in San Diego. I do not trust the voting machines and I am not alone in that.
San Bruno (San Mateo Co., I believe) Talked about revolving door of elections officials and vendors creating a conflict of interest.
Software engineer and concerned citizen. Wants paper ballots. I know how well computers can be manipulated. Paper ballots would solve problems, save money and restore voter confidence.
Election Industry is an even greater risk than the military industrial complex Eisenhower warned us about. This review has shown how fearful vendors are of scrutiny. While I welcome this review, it’s not a Top-To-Bottom Review. A Top-To-Bottom Review would include unannounced forensic review, review of audit logs, etc. Shame on election officials who have obstructed citizen oversight. We must know that we are governed by the will of the majority, not the will of hackers or programmers. I ask Secretary of State to decertify all electronic systems. Defend the interests of the voters, not the industry.
Professor Bishop answered a few questions while I was typing other stuff.
California Foundation for Independent Living Centers, Exec. Director. We are extremely concerned with access to democracy. We helped provide individuals to help test the systems here. We’re pleased with the testing that occurred and not surprised by what was found in the accessibility report. About 20% of Californians identify as having some sort of disability or functional limitations. Only about 30% of people with disabilities vote, which we think is largely due to problems with accessibility of systems and polling places. Decertifying the voting systems as they are now is actually going backwards in terms of access for people with disabilities. Paper is not accessible to a full range of people with disabilities and is absolutely inaccessible to a large number of people with disabilities. Where we want to go is where you’re headed with disability report, improving existing systems.
Now there's an added opportunity for people to speak about LA County's InkaVote Plus system.
None of the systems are better or worse than the others. Talks about San Francisco having stayed with ES&S. Didn’t quite get it. At this point we have to stipulate that these machines are broken and democracy is in jeopardy.
L.A. has the most complex voting cluster I’ve seen, four different systems including InkaVote. There were 18 Dell computers running GEMS II, not needed and uncertified, connected to the central Micro Tally Ssystem network. This was in June of 06. No system should be used without going through this Top-To-Bottom Review. Nobody has checked InkaVote. Please check it.
NOTE FROM BRAD: If you've made it this far, you'll know what a spectacular job Emily did in reporting from the hearing. None the less, I wanted to add my thanks for a fantastic job, Em!