Yesterday, I wrote Sequoia Voting Systems threatens Princeton researchers. This morning, it appears that the threat has been successful in attaining its goal: Union County, NJ has dropped its plans to have security uber-expert Dr. Felten of Princeton University examine these systems.
Meanwhile, in a related story, Ohio voting machines declared an official crime scene.
The Star-Ledger headline is Plan for voting machine probe dropped after lawsuit threat and reads in part:
A Sequoia executive, Edwin Smith, put Union County Clerk Joanne Rajoppi on notice that an independent analysis would violate the licensing agreement between his firm and the county. In a terse two-page letter Smith also argued the voting machine software is a Sequoia trade secret and cannot be handed over to any third party.
Last week Rajoppi persuaded the statewide clerk's association to have an independent study of the machines done by Edward Felten, a professor of computer science and public affairs at Princeton University. The Constitutional Officers Association of New Jersey called for the independent review to ensure the integrity of the election process.
Sequoia maintains the errors, which were documented in at least five counties, occurred due to mistakes by poll workers. The firm, which is based in Colorado, examined machines in Middlesex Count, and concluded that poll workers had pushed the wrong buttons on the control panels, resulting in errors in the numbers of ballots cast.
But officials found it odd that such an error never occurred before and the clerk's association wanted further testing.
I trust it's obvious why this entire episode represents a victory for unscrupulous, incompetent voting machine vendors and a serious loss for the voting public, so I won't dwell on that. Instead, I'd like to make few other points that have come to mind based on some excellent responses to yesterday's diary (thank you, commenters!) and then talk about the Ohio mess.
First, let's realize that even if Sequoia Voting Systems ultimately succeeds with this heavy-handed tactic, that won't stop their systems from eventually falling into the hands of people that might take them apart to see how they work. Dr. Felten's own blog notes (from the November 2006 elections): Unattended Voting Machines Already Showing Up. He notes the same problem again just last month: Unattended Voting Machines, As Usual. And he's not the only one -- I just found it handy to cite entries from his blog. There have been so many reports of unattended voting machines over the past few years that I think by now it's at least plausible to assume that some have been stolen.
And if that's the case, then it's very likely that the thin veneer of "security" that covers the vulnerable interior of these systems has long since been breached. By now, the hardware's been dissected, the software disassembled and decompiled, and the entire system reverse-engineered. That doesn't bode well, given that the vendors themselves keep adopting public stances that suggest they know full well these systems rely on security-by-obscurity -- one of the better-known guaranteed ways to fail.
Second, let me expand on something I wrote in the comments yesterday: it's not at all clear that we know how to make a computerized voting system that provides sufficient accuracy and security. There are so many possible attack vectors that it's exceedingly difficult to even identify all of them, let alone devise countermeasures. Here's just one example: suppose (overcoming massive resistance) we get the vendors to publish the source code for the software. Suppose (and this is an optimistic assumption on par with "we will be greeted by flowers") that the code is miraculously found to be correct: that is, the program actually does what it's supposed to do. Let's add another hyper-unrealistic assumption: let's suppose that the code is determined, via extensive peer review by thousands of programmers all over the 'net, to have zero security holes.
Are we home free? Not a chance. How do we know that the code installed in the production systems was actually compiled from the code we're looking at? Or, how do we know that production code doesn't have a backdoor inserted into it during the compilation process? Computer science types are now smiling and nodding as they recognize this scenario as a variant of that explained in Ken Thompson's masterful Turing Award Lecture, Reflections on Trusting Trust. And even if we somehow managed to work all this out, then an attacker could neatly render all of it moot by noting all those unattended voting machines (see above) and using a hotel mini-bar key to unlock them and install different software.
Third, the barriers to sophisticated attacks are not as high as one might think. (Or as voting machine company PR would assert.) Bruce Schneier wrote a chilling analysis called Stealing an Election in which he engages in some back-of-the-envelope calculations and concludes:
If a voting machine collects 250 votes (about 125 for each candidate), rigging the machine to swing all of its votes would be worth $25,000. That's going to be detected, so is unlikely to happen. Swinging 10% of the votes on any given machine would be worth $2500.
This suggests that it is necessary to assume that attacks against individual voting machines are a serious risk.
Computerized voting machines have software, which means we need to figure out what it's worth to compromise a voting machine software design or code, and not just individual machines. Any voting machine type deployed in 25% of precincts would register enough votes that malicious software could swing the balance of power without creating terribly obvious statistical abnormalities.
In 2002, all the Congressional candidates together raised over $500M. As a result, one can conservatively conclude that affecting the balance of power in the House of Representatives is worth at least $100M to the party who would otherwise be losing. So when designing the security behind the software, one must assume an attacker with a $100M budget.
It's difficult to defend against attackers with a budget .1% of that; taking on those with such enormous resources is a truly daunting task. Not only would they be in a position in use highly advanced technical measures, with that kind of cash they could go after people: bribes, blackmail, extortion all are easily within their reach.
How do we know that this hasn't already happened?
Which brings me to the Ohio mess. The Inquirer reports Ohio voting machines declared an official crime scene and explains:
Alerted by Ohio's Secretary of State, Jennifer Brunner, Franklin County election officials have ordered the Ohio Bureau of Criminal Identification and Investigation to seize as an official crime scene some 15 touch-screen voting machines that had produced improbable results in a state-wide 2006 election.
In addition, a bogus Homeland Security Alert that led to 2004 general election vote counting shenanigans in a key southwestern Ohio county is under renewed investigation. It is well documented and widely believed that numerous election "irregularities" orchestrated by J. Kenneth Blackwell, Ohio's former Secretary of State, succeeded in stealing Ohio's 20 electoral votes for George W. Bush in 2004, delivering to him an undeserved, catastrophic second term as President ['allegedly', adds our legal department].
The article goes on to point out that it's going to be very difficult at this late date to figure out what actually happened. Well, besides:
Franklin County Board of Elections Director Matt Damschroder was removed prior to Ohio's 2008 primary election. He had previously been suspended for a month without pay for accepting a $10,000 Republican campaign contribution check from a voting machine salesman at his office.
The check was delivered on the day Ohio's electronic voting machine contracts were opened for bidding. Damschroder had been the chair of the Franklin County Republican Party and was the state's leading opponent of paper balloting until he was forced out.
I think it's abundantly clear what happened there. (Please note the dollar amount involved and compare to Schneier's calculations, then extrapolate.) But while that's certainly part of the debacle in Ohio, it's certainly not the whole picture. Nor is this problem (terrible though it is) a thing of the past: the LA Times reported Ohio Democratic primary could hinge on county with troubled elections on March 1, 2008. This begs the question, "what will be done in Ohio before November 2008?" and the larger question "what will be done everywhere else?" since there's nothing Ohio-specific about these issues, beyond the people involved.