News
Volume 15, Issue 32
Published December 12th, 2007
Published December 12th, 2007
News Lead
Rise Of The Machines
Ohio Takes The "Better Late Than Never' Approach To E-voting System Review
Everyone in Cuyahoga County had their fingers crossed on Nov. 4, election night, including Ohio's recently elected Secretary of State Jennifer Brunner. It was the first countywide election under a new director and board, and another go-round with the two-year-old, $20-million, controversial Diebold electronic touch-screen voting system.
Turnout was about 15 percent, so the data were hardly burdensome. But after the tabulation server crashed twice, elections staff resorted to saving vote totals every 45 minutes, then rebooting the server.
At the public post-mortem, during a county Board Of Elections meeting a few weeks later, Director Jane Platten was clearly frustrated. Diebold techs were being summoned again to investigate what went wrong.
"We're spending too much time figuring out the deficiencies after the election versus spending time planning ahead on election management, and more efficient elections," Platten told board members.
It was just the latest in a list of incidents that justified Secretary of State Brunner's ordering a comprehensive review of the three electronic voting systems in use in Ohio.
Begun in September, "Project EVEREST" (Evaluation and Validation of Election-Related Equipment, Standards and Testing) is an ambitious and overdue assessment of how Ohioans' votes are counted. Its emphases make a significant and meaningful departure from all previous rounds of federal and state testing that first gave these flawed systems a green light. Still, serious questions remain about what results the public will actually get once Brunner releases her findings on December 14.
The current batch of Ohio's electronic voting systems have been around since 2005. Then, former Ohio Secretary of State Ken Blackwell authorized counties to purchase either touch-screen machines (on which votes are recorded on memory cards, then tabulated on a central server; votes are also visible on an attached printer) or optical scanners (on which paper ballots with filled-in ovals are scanned). Three vendors, Diebold, Hart InterCivic and Elections Systems and Software (ES&S), were approved to sell their wares, based on a federal testing and certification program. No one bothered to check exactly how vendors were obtaining this federal seal of approval.
Turns out that the whole setup was ineffective at best and compromised at worst.
A 2002 federal law mandated a wholesale switch to electronic voting, but did little to ensure that the standards or technology were up to the task. Old and weak federal voting system guidelines were used, and a small cadre of "independent testing authorities" (ITAs), certified by a non-government agency, tested products against these guidelines. It didn't take much to get a passing grade.
Muddying the waters further was that vendors choose their ITAs, paid them directly, and received confidential feedback. If tests failed, a vendor could keep going back to its chosen ITA until its system was cleared.
"An awful lot of technically awful voting systems have passed the tests conducted by [these labs]," says David Jefferson, a computer scientist who has reviewed many of these secret reports as an advisor to the California Secretary of State's initiatives on voting technology.
After one Diebold optical-scan system had been certified, a Finnish computer expert executed what's become known as the "Hursti hack." In May 2005, Harri Hursti showed that an optical scanner's removable memory card could be reprogrammed to alter vote totals. Then, this August, California's SOS released jaw-dropping findings (conducted by academic computer security experts) about the state's machines. On Diebold touch screens, ordinary objects could disable the voter-verified printed ballots (needed for recounts). Hart's optical-scan software could be rewritten to alter vote totals, and its touch screens' printers could be manipulated to produce multiple records. California's SOS has since decertified almost all e-voting machines in the state.
These vulnerabilities eluded the federal testing process. And it's unclear how much was caught by Compuware, hired in 2003 and again in 2005 by Ohio's Blackwell, to identify systems' vulnerabilities before the state spent nearly $130 million in federal funds.
Ron Olson, a member of Citizens' Alliance for Secure Elections and Brunner's recently formed Voting Rights Institute, reviewed Compuware's studies this summer. He concluded that while Compuware's work was "adequate and produced valid findings," it was extremely limited in scope. Tests were conducted on a single touch-screen machine selected by the vendor, versus systems currently in use. Many of Compuware's fixes relied on better policies and procedures by elections officials. These, wrote Olson, "are not magic solutions that can resolve all problems."
Which elections operations would work best or not at all was never assessed - and no one left in the SOS office today knows what was finally carried out.
The study Secretary Brunner has commissioned is complicated.
Five sets of testers - two private labs and three groups of academic computer security experts - will bring in machines from the field. One private lab, SysTest, will make sure systems are the same as when they were certified, assess performance and determine whether vendors provide sufficient guidelines for elections officials.
An Ohio company, Microsolved, will undertake penetration, or hackability, testing.
The first academic team, from Pennsylvania State University and led by Patrick McDaniel, will perform penetration testing and source-code review of Hart and Diebold systems.
Matt Blaze and other researchers from the University of Pennsylvania will analyze ES&S systems for hackability, source code and other security risks. Professor Giovanni Vigna and a team from the University of California-Santa Cruz will do the same.
The university groups will also review Compuware's reports to evaluate the risks identified, and what was done about them.
Brunner has told testers to apply all standards they think appropriate. What seems unfortunate, however, is her use of the private lab SysTest, a company embedded in the problematic federal testing and certification structure that gave Ohio its current e-voting systems.
Jefferson, the computer scientist who has advised California, was closely involved with the early discussions and research that went into Brunner's requests for proposals (RFP) for testing teams.
"The RFP was clearly designed, albeit unintentionally, to only attract corporations, versus [getting] bids from academics," he says. The application rules were onerous; the contract's reporting requirements large. This, Jefferson says, required a sizeable legal staff to write up a proposal, then manage the project - something academics don't have. Restrictive non-disclosure disagreements were also an issue for university researchers, who usually want more intellectual freedom.
So, as Jefferson had predicted, only corporate testers responded. Brunner was boxed in. She needed to award the RFP she had so publicly distributed, but she also wanted her study to have the academic credibility of California's.
"When we saw the five respondents and that none of them were from the academic world, we extended the length of time for the study," Brunner says.
So Brunner went out to recruit academic experts.
Brunner had already taken until July to issue her RFP and get responses. It took another two months, until September 10, to gather academics and negotiate terms they would agree to. (Parts of the RFP went to SysTest and Microsolved, with a set of subcontracts under SysTest for the academic researchers. The academic experts wanted assurances their reports would go directly to the SOS's office, not through SysTest; that they would have complete freedom to test and write what they wanted; and that if SysTest was sued, the academics, as subcontractors, wouldn't be held liable as well.)
Jefferson doesn't understand any of this. Why pick private labs at all, he wonders, and why select one with an apparent conflict of interest?
"You're asking SysTest to evaluate Ohio's voting systems [again]," Jefferson says. "You're perhaps asking them to recapitulate on their prior test results. SysTest is a large corporation, and is not going to want a bad public relations situation which makes them appear to undermine SysTest's last 15 years of e-voting testing."
Brunner says that her office has not given SysTest hackability tasks, and so taken one area of potential conflict out of the mix. But SysTest did analyze voting system performance, which does overlap to some degree with its prior federal-level testing. Still, this kind of parallel testing, Brunner says, will balance those who question SysTest, with those who question academics as overly technical and with no perspective on the real world of elections.
In that way, Ohio's study is unique. For the first time, commercial and academic computer science realms are racing to the finish line.
On Friday, Brunner will issue her synthesis of the findings and recommendations.
Brunner says she and her staff have been looking at the reports' methodologies and tone to determine testers' credibility. For the recommendations portion, Brunner will also get input from a bipartisan board of local elections officials. She stresses , however, that she has the final word.
Brunner's spokesman, Patrick Gallaway, says the SOS's office intends to make all testers' reports public after review and redaction by staff attorneys (for hack recipes and proprietary vendor information). The primary documents could come out as soon as one week after Brunner's synthesis, but no later than the end of December.
As Ohio's March 4, 2008 primary looms, it's critical that Brunner releases the researchers' original reports quickly. Only with all of Project EVEREST in full view can an honest public discussion take place.
"Then," Jefferson says, "everyone can decide if the secretary is taking the adequate, necessary steps."
cgupta@freetimes.com
Turnout was about 15 percent, so the data were hardly burdensome. But after the tabulation server crashed twice, elections staff resorted to saving vote totals every 45 minutes, then rebooting the server.
At the public post-mortem, during a county Board Of Elections meeting a few weeks later, Director Jane Platten was clearly frustrated. Diebold techs were being summoned again to investigate what went wrong.
"We're spending too much time figuring out the deficiencies after the election versus spending time planning ahead on election management, and more efficient elections," Platten told board members.
It was just the latest in a list of incidents that justified Secretary of State Brunner's ordering a comprehensive review of the three electronic voting systems in use in Ohio.
Begun in September, "Project EVEREST" (Evaluation and Validation of Election-Related Equipment, Standards and Testing) is an ambitious and overdue assessment of how Ohioans' votes are counted. Its emphases make a significant and meaningful departure from all previous rounds of federal and state testing that first gave these flawed systems a green light. Still, serious questions remain about what results the public will actually get once Brunner releases her findings on December 14.
The current batch of Ohio's electronic voting systems have been around since 2005. Then, former Ohio Secretary of State Ken Blackwell authorized counties to purchase either touch-screen machines (on which votes are recorded on memory cards, then tabulated on a central server; votes are also visible on an attached printer) or optical scanners (on which paper ballots with filled-in ovals are scanned). Three vendors, Diebold, Hart InterCivic and Elections Systems and Software (ES&S), were approved to sell their wares, based on a federal testing and certification program. No one bothered to check exactly how vendors were obtaining this federal seal of approval.
Turns out that the whole setup was ineffective at best and compromised at worst.
A 2002 federal law mandated a wholesale switch to electronic voting, but did little to ensure that the standards or technology were up to the task. Old and weak federal voting system guidelines were used, and a small cadre of "independent testing authorities" (ITAs), certified by a non-government agency, tested products against these guidelines. It didn't take much to get a passing grade.
Muddying the waters further was that vendors choose their ITAs, paid them directly, and received confidential feedback. If tests failed, a vendor could keep going back to its chosen ITA until its system was cleared.
"An awful lot of technically awful voting systems have passed the tests conducted by [these labs]," says David Jefferson, a computer scientist who has reviewed many of these secret reports as an advisor to the California Secretary of State's initiatives on voting technology.
After one Diebold optical-scan system had been certified, a Finnish computer expert executed what's become known as the "Hursti hack." In May 2005, Harri Hursti showed that an optical scanner's removable memory card could be reprogrammed to alter vote totals. Then, this August, California's SOS released jaw-dropping findings (conducted by academic computer security experts) about the state's machines. On Diebold touch screens, ordinary objects could disable the voter-verified printed ballots (needed for recounts). Hart's optical-scan software could be rewritten to alter vote totals, and its touch screens' printers could be manipulated to produce multiple records. California's SOS has since decertified almost all e-voting machines in the state.
These vulnerabilities eluded the federal testing process. And it's unclear how much was caught by Compuware, hired in 2003 and again in 2005 by Ohio's Blackwell, to identify systems' vulnerabilities before the state spent nearly $130 million in federal funds.
Ron Olson, a member of Citizens' Alliance for Secure Elections and Brunner's recently formed Voting Rights Institute, reviewed Compuware's studies this summer. He concluded that while Compuware's work was "adequate and produced valid findings," it was extremely limited in scope. Tests were conducted on a single touch-screen machine selected by the vendor, versus systems currently in use. Many of Compuware's fixes relied on better policies and procedures by elections officials. These, wrote Olson, "are not magic solutions that can resolve all problems."
Which elections operations would work best or not at all was never assessed - and no one left in the SOS office today knows what was finally carried out.
The study Secretary Brunner has commissioned is complicated.
Five sets of testers - two private labs and three groups of academic computer security experts - will bring in machines from the field. One private lab, SysTest, will make sure systems are the same as when they were certified, assess performance and determine whether vendors provide sufficient guidelines for elections officials.
An Ohio company, Microsolved, will undertake penetration, or hackability, testing.
The first academic team, from Pennsylvania State University and led by Patrick McDaniel, will perform penetration testing and source-code review of Hart and Diebold systems.
Matt Blaze and other researchers from the University of Pennsylvania will analyze ES&S systems for hackability, source code and other security risks. Professor Giovanni Vigna and a team from the University of California-Santa Cruz will do the same.
The university groups will also review Compuware's reports to evaluate the risks identified, and what was done about them.
Brunner has told testers to apply all standards they think appropriate. What seems unfortunate, however, is her use of the private lab SysTest, a company embedded in the problematic federal testing and certification structure that gave Ohio its current e-voting systems.
Jefferson, the computer scientist who has advised California, was closely involved with the early discussions and research that went into Brunner's requests for proposals (RFP) for testing teams.
"The RFP was clearly designed, albeit unintentionally, to only attract corporations, versus [getting] bids from academics," he says. The application rules were onerous; the contract's reporting requirements large. This, Jefferson says, required a sizeable legal staff to write up a proposal, then manage the project - something academics don't have. Restrictive non-disclosure disagreements were also an issue for university researchers, who usually want more intellectual freedom.
So, as Jefferson had predicted, only corporate testers responded. Brunner was boxed in. She needed to award the RFP she had so publicly distributed, but she also wanted her study to have the academic credibility of California's.
"When we saw the five respondents and that none of them were from the academic world, we extended the length of time for the study," Brunner says.
So Brunner went out to recruit academic experts.
Brunner had already taken until July to issue her RFP and get responses. It took another two months, until September 10, to gather academics and negotiate terms they would agree to. (Parts of the RFP went to SysTest and Microsolved, with a set of subcontracts under SysTest for the academic researchers. The academic experts wanted assurances their reports would go directly to the SOS's office, not through SysTest; that they would have complete freedom to test and write what they wanted; and that if SysTest was sued, the academics, as subcontractors, wouldn't be held liable as well.)
Jefferson doesn't understand any of this. Why pick private labs at all, he wonders, and why select one with an apparent conflict of interest?
"You're asking SysTest to evaluate Ohio's voting systems [again]," Jefferson says. "You're perhaps asking them to recapitulate on their prior test results. SysTest is a large corporation, and is not going to want a bad public relations situation which makes them appear to undermine SysTest's last 15 years of e-voting testing."
Brunner says that her office has not given SysTest hackability tasks, and so taken one area of potential conflict out of the mix. But SysTest did analyze voting system performance, which does overlap to some degree with its prior federal-level testing. Still, this kind of parallel testing, Brunner says, will balance those who question SysTest, with those who question academics as overly technical and with no perspective on the real world of elections.
In that way, Ohio's study is unique. For the first time, commercial and academic computer science realms are racing to the finish line.
On Friday, Brunner will issue her synthesis of the findings and recommendations.
Brunner says she and her staff have been looking at the reports' methodologies and tone to determine testers' credibility. For the recommendations portion, Brunner will also get input from a bipartisan board of local elections officials. She stresses , however, that she has the final word.
Brunner's spokesman, Patrick Gallaway, says the SOS's office intends to make all testers' reports public after review and redaction by staff attorneys (for hack recipes and proprietary vendor information). The primary documents could come out as soon as one week after Brunner's synthesis, but no later than the end of December.
As Ohio's March 4, 2008 primary looms, it's critical that Brunner releases the researchers' original reports quickly. Only with all of Project EVEREST in full view can an honest public discussion take place.
"Then," Jefferson says, "everyone can decide if the secretary is taking the adequate, necessary steps."
cgupta@freetimes.com
