An open letter to Diebold president and CEO Thomas Swidarski

Spending all the time, money

Spending all the time, money and effort on code hardening and review is a waste if all it takes is less than a minute to infect a machine once a person has physical access to it. These machines have cheesy locks that can be picked in less than 10 seconds, allowing malicious code to be installed in under a minute. Pop's comment was right on the money, noting one of literally dozens of combinations of failure points currently existing in software, hardware and networking with hundreds, if not thousands, of people who have access to exploit them.

In "How to steal an election by hacking the vote", 10/25/2006, Jon Stokes provides an excellent overview of wholesale election rigging, which can be 100% undetectable when using electronic voting machines. Stokes references a whitepaper published by the Princeton University Center for IT Policy (also referenced on the ACCURATE site) on their fully independent "Security Analysis on the Diebold AccuVote-TS Voting Machine", in which the authors discuss writing code that spreads like a virus to other voting machines, steals votes invisibly, then deletes itself so it can't be found. They actually wrote & tested code to do this to prove that it can be done.

After 20+ years in IT, only painful experience has taught me how difficult it is to get honest cooperation out of any team if their real goals don't match yours from day one. If Diebold continues to hold on to a prior loyalty to , or feels it needs to cover its , its people will find subtle ways to slow up and taint the process that will be almost impossible to pin down with rules and
regulations. It's like trying to push a string.

While better software is being developed, we need to shift to a system that already works, which means counting the tally by hardware. Until just this year in CT, we've used decades old, mechanical voting machines (which many of us would prefer to keep using, except the repair parts aren't made anymore). At the end of voting in each town, total votes for each candidate are read from the back of each machine with one representative from each party looking on. Numbers from all machines are added, totals are verified by each party rep, then phoned into the state headquarters.

Applying this to electronic voting: use software to present the voting options (names in each category, referendum questions, etc) to the voter, but use only hardware to tally the votes. Stephanie's right about insisting on a voter verified paper trail. The person should verify their vote on a paper print out. But what good is it if it's not used? (FL now actually outlaws recounts!) Make the voter verified paper trail an integral part of the tally process.

(1) Although the Diebold AccuVote-TS is known as "paperless", it does have a built in paper printer. The voter would use the touch screen to make their selections and confirm them once. The names are then printed out in block letters that can be read by both the voter and an optical reader. The voter verifies the printout and the paper scrolls (like the receipt paper in a grocery store) so the next person can't see.
(2) After a preset number of votes (200, 500, 1000...), the paper is auto-cut and collected by a poll worker. This paper is then run through an optical reader which reads the votes using the candidates' printed names (not barcodes, too easy to slip in mismatches) and tallies them on hardware number rolls (like the click wheels on a subway turnstile).
(3) At the end of the voting, a rep from each party verifies the total votes for each candidate and totals are sent to state voting headquarters.

Error is created when processing becomes invisible and handled by something as variable and vulnerable as software; so use the software to make presenting the front end easier, and keep the back end hardwired and visible until we have a more visible and secure, electronic way to handle it. And we will, eventually. My goal is to present a way to reestablish not only voter confidence in the system but actual integrity, in the least amount of time, at the least cost.

Modifying the AccuVote-TS paper printer and making a software change to have it print out the names of candidates each voter selected will be very quick and easy compared to the process Mr. Mitchell outlines. Getting an optical reader for every precinct should be a given. There should _a.l.w.a.y.s_ be a hardcopy verification method for _a.n.y_ type of electronic system. So even after Mr. Mitchell's plan is executed and the software is of undisputable integrity, the optical readers should be retained indefinitely and used regularly for verification.

Several items: Europe is

Several items:

Europe is also having problems with Diebold.

Florida Govenor Jeb Bush, after the last public exposure of voting problems in Florida with Diebold, ordered cities -counties, etc, that when a problem was encountered, not to make it known to the public, but to notify Bush and he would make the decesion as to whether or not the public should know. Also remember that Diebold is a big contributor to the GOP.

A process that has to be looked at very closely is during the transfer of voting data to a regional center and then on to a central point. Whether the data is transmitted via cable or wireless, it can be interceppted and changed.

Good software can be located in the machine but the data can still be manipulated during the transfer process.

I would like somebody,

I would like somebody, anybody, to name one thing that was broken with paper voting, and why Diebold had to "fix" it. Alternatively, I would like somebody to explain what Diebold's motivations might be for actually fixing the problems we do know about. Most of the officials that have stock in Diebold seem to get 'voted' into the job they were looking for, so I don't really see why they would 'fix' anything--much less actually publicize the flaws. It's like asking Microsoft to publicly release their source-code. Good luck with that... and rest easy knowing that your VOTE has been subverted by an electronic game of Mouse Trap.

Too many people are

Too many people are questioning the wide collection of American voting standards, where quality of vote counting varies by state and county. This contrasts with the Canadian system where the Feds run the whole show, and almost nobody questions the results.

Canada has not yet endorsed e-voting. This is likely due to the controversies in the US. If Diebold wants to expand its market to other countries, it must convince people and governments that its machines are OK. Following Mitchell's suggestions would be a welcome start.

" Surely if Diebold can make

" Surely if Diebold can make a secure ATM there is no reason why it cannot make secure and reliable e-voting apparatus in which the public has confidence."

No.

I'll speak to this issue as a computer scientist with 28 years of engineering experience, and a sizeable portfolio of user interface patents.

The issue is complicated by the need to consider the situated context, in terms of failure modes. Those that say "we can build reliable ATM machines, why can't we build reliable voting machines?" are missing exactly this point, subtly so.

ATM machines - and the credit card industry - suffer from a known actuarial fraud rate. This is generally kept fairly secret, but amounts to a mild tax (reflected in interest rates) on the banking system. HOWEVER, the "error direction" is uncorrelated with general command and control of the monetary system - it is "noise", in an information processing sense. It is acceptable, whereas fraud in voting systems is not spread out in the same way - it results in point failures that swing command and control of the polis.

Hanging chads are "noise". There are more than one kind of noise, in terms of statistics; hanging chads are "white noise". The errors produced by hanging chads are spread out over the entire system in a random way. Additionally, the paper ballots are entirely "in the realm of the senses" - you can look at them, see them, touch them, judge them. And recount them, with a Mark One Eyeball (or a committee of eyeballs, drawn from opposing parties). If the error rate is small, but random (white noise), then that is acceptable in my mind; because it will even out over time, "falsely" awarding close elections to opposite parties in an unbiased manner in terms of statistics. Hanging chads do not have intention.

Moving ballots away from the realm of the senses into electronic form means that a hidden algorithm can intentionally corrupt the votes. An EEPROM memory holding software code can be difficult to trace back to known source. Add to this that Diebold claims the commercial right to hold the actual software proprietary, and you have a nasty situation where the machinery of voting now becomes arcanely obscure, not transparent, and potentially corruptible. And Deibold is known to "service" the machines in the field, sometimes without audit trails or even permission from the voting officials.

If the issue is to make it easy for disabled to vote; fine, make machines that are touch screen etc., - that make marks on paper, that can be then fed into the traditional process, after the voter approves of the marks in front of their own eyes. I distrust even optical scanner evaluators that are software controlled; but they are at least susceptible to recounts based on the actual marks on paper of paper ballots.

Electronic voting can so completely corrupt the system that democracy could be completely lost, in an unrecoverable way, short of a violent overthrow of the government, leaving us with a mere Spectacle where the outward forms are observed, but a permanent power arrangement comes into being.

Alex added some interesting

Alex added some interesting bullet points to my letter. I focused on openness and technology issues specific to Diebold, but establishing good policies around that is certainly critical. Many of those, of course, would need to be set by policymakers and not Diebold or other e-voting system vendors. His suggestions:

- code reviews, which might fall under my testing bullet;
- procedures for checking-in new code, which might fall under beta;
- random auditing of voting machines, a good governmental policy;
- pre-election comprehensive audit of machines and physical locations - might be impractical but it would certainly be worth trying to do an audit after an election - if you could get public money to support that. Certainly procedures for ensuring nothing is changed between the audit and elections day is vital;
- freeze period for system changes prior to an elections, unless it involves a clearly documented and election-critical bug fix.

Other interesting comments and suggestions appear on this Slashdot discussion, where there is no lack of wry humor. My favorite post this morning was this one from Anonymous Coward, which takes a pot shot at my bulleted list.

The thing is, after the

The thing is, after the fiascos in Florida & Ohio elections, the "powers that be" in office right now don't want folks using these machines - as they will be a verifiable record of who voted what (republican or democrat basically).

The more they make this machine look bad, the more opportunity for them to pull yet another b.s. riddled election (fixed one).

This machine, or one like it, is part of the key to stopping the Florida &/or Ohio election fiascos ever again.

A PC can handle (on a 32-bit OS) nearly the entire world population (4 gb memory addresseability), let alone the U.S. voting population!

So, it is in their best interests to NOT have such a machine used imo. Just so "fixed elections" can keep happening.

Cars get recalls, PC software & equipment does & gets updates/upgrades/patches, & these machines can as well, to be corrected when needed.

I saw the HBO documentary as

I saw the HBO documentary as well, and the first question in my mind was: "Was this code written by experienced pros, or did Diebold cut staff years ago and then realize that they didn't have the tech skills to do the job?" Their design doesn't appear to have *any* protection against malicious intent.

Several years ago, I (yes, *me*) implemented a new central image server technology used by Polaroid for OTC driver license issuance systems. My code was used in several states, and worked very successfully for many years. The problems I had to overcome - audit trail, automated failover, data security, network security, etc. - are the same that Diebold needs to solve.

And, if I could solve them, *SO CAN THEY*.

re. the HBO documentary: I'd bet that the Diebold system only has the libraries and graphical routines to draw on the screen, and the card contains the setup (x/y locations, printable text, accumulator variables, etc.) for the current election. Otherwise, you'd be reloading the flash on all of those systems for each election rather than just updating the cards when required - maybe at the last minute.

It's not a bad design. But, it was poorly implemented.

OTOH, don't blame the implementation requirements - e.g RFP - on Diebold. They probably were told to provide an electronic voting system that can be run by volunteer poll workers who might not even know how to use a computer themselves!

\burt

Why is one idiot trying to

Why is one idiot trying to tell a crooked idiot how to run a business? Did you not learn what happens on Nov 7?