Tagged election incident

Kudos to Cuyahoga

I was very encouraged by recent election news from Ohio’s Cuyahoga County, reported in the Cleveland Plain Dealer newspaper: Reason for election machine glitch found, officials expect things to be OK for the primary. At first blush, it might seem like bad news:

All told, 89 of the Cuyahoga County Board of Elections‘  1,200 machines powered down and then froze during a specific test done to ensure the optical scanners were reading paper ballots correctly.

But as the Plain Dealer’s Joan Mazzoli said in her folksy headline, the point is that the Cuyahoga BOE disclosed to the public exactly the problems that they encountered, the scope of the problems, and the possible effect on the election that will be conducted with machines that they tested. In fact BOE director Jane Platten explained the specific error logging procedures that they will use to audit the election, to make sure that no votes are lost even if the machines malfunction during the election. As Mazzoli quoted Platten:

We want to ensure everyone’s votes are counted.

Of course that is every election official’s goal, but this news is about a bit more: making sure that everyone’s votes are counted, and “making sure” in a way that the voters can see and believe in despite known problems with the election technology being used. That is what I call helping people Trust the Vote, and for that I say – Kudos to Cuyahoga!

— EJS

Dust Settles on Internet Voting Debate; Mea Culpa Included

Whew.

Debate-1We’re through it, and for all the angst, sweat, and tears, I sense it went well.  I want to thank the Panelists for being so good-natured (and well behaved as to the time limits in responses).  We had some intense moments of heated disagreement and heated agreement.  I’ll have some more to say later when more recovered, but I believe this is the start of an on-going conversation that brought out the challenges and opportunities of using the Internet in the elections and voting processes.

Mea Culpa(s)

  1. Apologies to Operation Bravo for getting it absolutely wrong on the Pilot locations (polling being on verses off Military base).  I learned a valuable lesson to not try and wedge in that final question in the middle of the night when its too late to wake anyone to confirm facts.  Good thing I had the “Plan B” question.
  2. Apologies to the activists who hounded me about using a coin toss to determine which side went first on closing remarks. I agreed to do so, put the 2 Euro in my pocket to toss, and then completely forgot in the rush of the final moments before going  live to actually toss the coin, and had to randomly point at one side to go first at closing. DoH!

For whatever its wDebate-2orth, I will not declare a winner or loser.  You can watch it on Vimeo or YouTube yourself when it finally posts in a couple of weeks.

But I will say this, as Moderator I thought the Proponents Team pulled it together in the closing argument and made some interesting points after earlier seemingly dropping some balls on answers.  And I thought the Opponents Team could’ve registered a far stronger closing statement after slicing through issues with surgical precision throughout the preceding 80 minutes.

One More Apology

One final, off-topic comment that constitutes another, more serious “mea culpa.” It has been called to my attention by a County Elections Official from Ohio who was “in the trenches” in 2004 and 2006, that our Every Vote Counts booklet has an error on the time-line page claiming a recount was required in the 2004 Ohio results due to machine errors.  This is completely false on all counts and I allowed ourselves to be drawn in by some faulty reporting and research.  In fact, some recounts in 2006 (not ’04) were due to some scanning equipment malfunctions of a mechanical nature only.  The machine issues otherwise alleged have never been substantiated and this Election Official, Rokey Suleman (now running elections in D.C.) has good reason to be frustrated with me by something unintentionally picking at an old battle scar.

We’re going to fix that.  I am committed to transparency.  First, may I please publicly apologize to Rokey Suleman for my public relations and outreach teams’ embarrassing goof.  The buck (er, book) stops with me; they’re my team and I take full responsibility for that.  There are no excuses.  We should have done closer proofing of the work.  OSDV Foundation has a great story to tell, and I hate the possibility of diluting it with an errant statement or representation.

Here is the repair list:

  1. We will correct that page before any further printing of that booklet.  I will do my best to halt further distribution of this version, but apologize in advance if there remain copies floating about or accidentally further distributed.
  2. More importantly, we’re going to give Rokey Suleman our podium here to explain to all of you reading, the story inside Ohio from one of the gentleman who was in the middle of it; from his personal and direct experience.  Mr. Suleman has agreed to draft that for our publication here under his name as a guest blogger.

Furthermore, I note that we learned here in Munich that Rokey is doing some amazing things in his new appointment running D.C. elections.  And he has a deep commitment to overseas and military voters.  I find him to be highly motivated, and passionately committed to accurate, transparent, trustworthy, and secure elections.  And I am impressed by his innovative attitude and intense commitment to seeing the District of Columbia (America’s answer to the Vatican 😉 ) be a thought leader and model for elections in the 21st century and digital age.  His passion for transparency (and interest in open source methods) is refreshing.

I hope this small token of our regrets will allow Rokey Suleman another reasonably public forum to set the record straight (in this case, apparently skewed again at our own hands).

Otherwise, the Debate was fun and exhausting and I can’t wait for the video replay.
Cheers

GAM|out

Election Equipment Stolen, Election Not Stolen

Thanks to erstwhile election texpert Dan Wallach for bring attention to the burglary of an early voting center in Houston, and to the Houston Chronicle’s Chris Moran for coverage of the story including good quotes from Dan! But I have to add that in addition to theft of computers containing voter records, there were also voting machines (Hart InterCivic DRE devices and the central controller for them) that were not stolen, but the thieves had access to. And as I’ve pointed out a number of times, it’s a shame that these voting systems (Hart and all the others) store vote data on re-writable media, and of course the software is equally modifiable as well. It’s one thing to have these fundamentally vulnerable machines in county facilities, or temporary deployed during Election Day in polling places under the watchful eye of poll workers — but another to leave them sitting in community center utility rooms overnight, night after night for a couple weeks. The votes (the electronic recording of e-ballots) are just sitting there protected by a lock on the door.

But even more importantly, as Dan pointed out to me, the real problem is confidence in the election result. Suppose a contest in this election is close, and someone claims that the election results from this particular precinct are anomalous or suspicious. It would be impractical to prove the negative — that the machines or the vote data were not tampered with, even though we know there was opportunity for it. Now, don’t get me wrong. In this case I doubt that bad guys were trying to sway this election by jiggering a handful of DREs, using special skills to falsify the security seals on the devices, and calling attention to the deed by ripping off some PCs. But because these voting machines are vulnerable in their basic design, incidents like this one can’t help but give naysayers the ability to cast doubt on the election results. We can do better — and will.

But technology aside, I still have questions on the election officials’ response to the incident. As Moran reported, yes they will check the security seals (twice!) and will assume that, absent evidence of tampering, these machines are in the same state that they left election HQ, and that the data they recorded was not effected either. But suppose that the thieves banged the machines about a bit, broke a security seal, flaked out a disk drive – or even that someone walked by with a big magnet in their pocket, and scrambled a few bits? The machines would show evidence of tampering or damage, but vote data on them might still be recoverable. Should those votes count in the election result? There is no really good answer – either way, public confidence in the election results is compromised. That can’t be prevented 100% by any technology, but here is a novel idea: let’s design voting technology so that we purposely avoid having it be the Achilles Heel of public confidence. OK, maybe it’s not so novel, but it is what we’re doing.

— EJS

Virus in NY Voting Machine? Not Really

The reports of computer viruses in NY voting machines — though spurious — cause me to return to a basic mantra of TrustTheVote: we do technology development so that election tech helps inspire public confidence in elections, rather than erode it.

The NY case is a great example of erosion, but also a cautionary tale for future inspiration. The caution comes from the significant and ongoing confusion about the term “virus”. But first, the situation in question arose in Hamilton County, NY, part of the hotly contested NY 23rd Congressional District race between Hoffman and Owens. It’s an ugly scene, because the vote was close, it’s already certified, Owen is seated, but re-canvassing efforts highlighted some counting irregularities. These weren’t large enough to effect the race, but were enough to spark Hoffman to un-concede defeat, and to issue a letter with some really disturbing claims of the election having been stolen. Now, add to this the claim that the election result is further tainted by the discovery of a computer virus in the voting system used in Hamilton. That’s a real example of tech digging the confidence hole that much deeper – ouch!

But the really sad part of this, for me, is that the true story is a good story about election officials doing the right thing: when they found a software bug, they worked with the vendor and created an effective work-around — maintaining the integrity of the system, the exact opposite of the story about the virus undermining the system. The real virus is that spurious story! The details, provided by NY State election official Doug Kellner, also provide another example of complexity of diligent election administration:

In pre-election testing several counties discovered the Dominion ImageCast machines froze when fed ballots that contained contests with multiple candidates to be elected.  It was determined during the week before the election that the cause was a source code programming error in the dynamic memory allocation of the function that stores ballot images–not the counting function.   Although only one line of source code needed modification, NYSBOE staff properly refused to approve any modification of source code without proper certification.  Dominion developed a work-around by changing the ballot configuration file–not the source code so that the machines using the new configuration files functioned on election day.  It is my understanding that a few county officials, who were using the machines for the first time, did not properly revise the configuration files and the machines were used in emergency ballot mode–that is, ballots were inserted in the emergency ballot boxes contained within the machine and were counted manually after the close of the polls.

Kudos to NY for doing their job right, in the real world of flawed equipment, not the fantasy land of viruses and stolen elections. New Yorkers should be thanking the NYSBOE for a job well done!

— EJS

PS: For a detailed debunking of the virus claims, see the blog of NY election tech expert and advocate Bo Lipari. It’s excellent. It got picked up in local press. But it can’t catch up to the idea virus, as the tale continues to mutate through the blogosphere that Hoffman was cheated by corrupt election officials, or ACORN, or computer hackers, or viruses, or some combination. ;-(

Another vote for paper

Check out No Voting Machine Virus in NY-23 Election(from Bo Lipari – Essays and Images:

“Finally, the good news – because New York votes on paper, everybody’s vote was counted. When the scanner stopped working, the ballots were removed and counted, so no votes were lost. Paper ballots, a software independent record of the vote, proved their great value in their very first outing in the Empire State. ” (from: No Voting Machine Virus in NY-23 Election)

Its an interesting article explaining what actually seemed to have happened in NY-23. I say “seemed” because I am sure there must be other interpreations and explanations, but the one I am citing here rings pretty realistic to me.

Votes Lost & Found in Myrtle Beach

Election officials in Myrtle Beach, SC, noted the absence of about 260 votes in the recent election there. Fortunately, the votes were found, and the reason for the error discovered — and both before the election was certified. It’s a good thing that Myrtle Beach election officials were making their lists and checking them twice, because it’s quite possible for the omission to have been overlooked until after the election was final. However, the story is a good illustration of how some technology design decisions create the scope for operator error.

The basic story is that in one polling place, a poll worker made a mistake in the process of extracting electronic vote totals from a voting machine, using a removable data storage cartridge in a way that’s similar to how you might use a USB flash drive to copy some files off of your PC. The problem, however, it that these particular voting machines are designed to be picky — if you don’t use the right cartridge the right way, the data is not copied, and is omitted from the supposedly complete vote totals compiled later (Also, it is not obvious to exhausted poll volunteers when this mistake occurs.)

You might ask, why so picky? Wouldn’t it be better to record vote totals in a way that didn’t depend on a poll worker not making mistakes at the end of an 18+ hour day? Well of course, put that way, yes. But when you look at the actual details of the way the iVotronic voting machines work, you can see that from a techie perspective, the design is not crazy — right up to the V-8 moment of realizing that a consequence is that operator error results in lost votes. Those details are not technical, quite instructive, and well explained by voting technology expert Doug Jones:

The electronic cartridge (PEB) is used to initialize the machine in the morning, enable the machine for voting before each voter, and close down the machine in the evening.

In some jurisdictions, a polling place has multiple PEBs: a master PEB for opening and closing the polls, and another used for routine voting. When you do this, only the master PEB has the zero report and the vote totals on it. If you’ve got several iVotronics at the polling place, and you use a different PEB to close the polls on some of them, the master PEB won’t have all the totals; then, when you upload it, you’ll be missing votes from some machines.

This is an excellent example of a procedural error of the type that the voting systems could help defend against, but don’t. It would be possible to write specs that lead to automatic detection of machines believed to have been deployed for which no totals have been reported. Sadly, we haven’t got such behavior in our system specs, and as a result, we chalk such problems up to human error and let the voting system off the hook.

As you can see, once again the devil is in the details — and thanks to Doug for the infernal info.

— EJS

Recounts in Pennsylvania

Pennsylvania has ordered a statewide recount of the race for Pennsylvania Superior Court Judge – a recount that is similar in scope and significance as the Minnesota Franken/Coleman recount (though one hopes less acrimonious), as the result will decide who will be making durable rulings in law for the whole state.

It’s an interesting story, for at least a couple reasons. This recount is also the first one performed under the PA state law that automatically triggers a full recount when a contest’s margin of victory is by less than one-half of 1 percent of the total votes cast. It’s also interesting because of the variety of voting technology across the state, and hence the variety of re-counting methods and results. For example, in Lackawanna County, which was already doing local-race recounting a few days ago, County Commissioner Mike Washo was quoted:

We share the concerns of everyone who came here to talk about having every vote count. We’re going to ensure that every vote is counted. The good news is, with paper, we have the ballots.

Even so, there is still controversy there, because the re-count is using equipment that is similar to the counting equipment that had the apparent failures that caused Lackawanna County officials to do the recount in the first place. Despite the 2% hand recount, some are wishing for 100% hand recount in addition to the machine recount.

In other counties, no doubt the local variations in voting methods will drive different concerns and controversies. But the compare-and-contrast possibilities of this statewide recount should be very instructive. Stay tuned …

— EJS

Identifying the Gold: Does Open Source Help?

A good question re-surfaced for us as we participated in the National Civic Summit recently. The issue was and remains about identifying a “gold build,” that is, when there is a particular system/version that is certified for use as a voting system, how should election officials know that the systems that they deployed are systems that are an instance of the certified system. Previously, we provided some answers of how you could answer the question “How do I know that this voting machine is a good one” and provide in the wiki on a more technical treatment of “field validation” of voting system devices.

But the  slightly different question that arose recently is: how does open source help?

The simple answer is that  open source techniques do not directly help at all. We could build a completely open system that has exactly the same architectural blockades to field validation as the current vendors’ product do. However, the TrustTheVote open source project has some advantages. First, we’re working on voting systems, which have sufficiently simple functional requirements (compared to general purpose computing systems) that field validation of voting devices isn’t as difficult as in the more general case. *

The second advantage allows us to sidestep many of these complexities, given the relative simplicity of voting devices. We were able to  go back to the drawing board and use an architecture that simplifies the field validation problems, for the very specific and limited class of systems that are voting devices.

Openness itself didn’t create these two advantages; but in conducting a public works project, we have the freedom to start fresh and avoid basic architecture pitfalls that can undermine trust. Therefore, the value of working openly is that the benefit of this work — increased confidence and trust — is a bit more easily achieved because field validation is fundamentally a systems trust issue, and we address in a way that can be freely assessed by anyone. And that’s where the open source approach helps.

— EJS

* NOTE: for the detail-oriented folks: in general, the twin problems of Trusted Software Distribution and Trusted System Validation are, in their general form, truly hard problems. Feasible approaches to them usually rely on complex use of cryptography, which simply shifts the burden to other hard problems in practical applied cryptography. For example, with “code signing” my Dad’s computer can tell him that it thinks he should trust some new software because is it signed as being from his SW vendor (e.g., Microsoft or HP); but he wonders (rightly) why he should trust his computer’s judgment in this matter, given the other mistakes that his computer makes. For more on the non-general voting-system-friendly solution, see the TrustTheVote wiki: https://wiki.trustthevote.org/index.php/Field_Validation_of_Voting_Systems

World’s Largest Democracy? Hacked?

Today’s news yielded another pair of oddly juxtaposed news items. Starting with news from the world’s largest democracy, India, where voting machine tampering is in the news, following a recent election in Orissa province.

Strange things have happened in many states including Orissa and a lot of complaints, allegations and cases have been lodged, observed the NGO and technocrat team.“We are taking the issue up at a national level. We are not opposed to the use of EVMs but we want them to be the pride of India and therefore tamper-proof,” said Mr Prasad and Mr Rao.

Given the level of activism involved, it may be that India will soon be the world’s leader in e-voting incidents, at least as measured by number of voters potentially affected.

Another candidate for world’s largest voting body — the Internet, or in this case, the subset of net-connected people planet-wide, who elected to participate in the Time.com 100 Poll on the world’s most influential people in government, science, technology and the arts. Millions voted, or, well,  there were millions of votes, but we’re not sure how many voters. It turns out that Time’s 100 Poll voting system was hacked in a particular and clever way. Not only did the winner turn out to be “moot” (the handle for founder of the 4chan graphic BBS) but the whole poll was rigged continually so that the acronym of the names of the top 21 influential people turned out to be “Marble Cake, or The Game.” (Apologies to #5 placer Larry Brilliant, who might actually be the 5th most influential person on the planet, rather than just the B in marBle). A blog posting by Paul Lamere includes an excellent account of the details of the hack.

For the Time.com 100 hack, the local reaction here in Silicon Valley may be mainly one of wry amusement, but I expect the same may not be true with our counterparts in Bangalore, Pune, et. al. India’s election integrity NGOs are now calling for a way that to promote public confidence that India’s real elections are more trustworthy that Time’s Internet polls — with the added challenge of public pride in a country that is far less technically literate, and indeed far less literate, than the U.S. electorate that we are more used to thinking of. Heartfelt best of luck to Prasad, Rao, and compatriots in India. Now, back in Silicon Valley, it’s tea-time – a slice of marble cake, anyone?

— EJS

Mini-Minnesota in Virginia

I’d like to call your attention to this week’s electile dysfunction news, which is about a mini-Minnesota situation in Fairfax County, Virginia. I think it’s instructive because it illustrates how some problems with "paperless" voting are actually quite similar to a more old-fashioned form of voting, "paper only" voting, and a mooted new-fangled kind of voting, Internet voting.

Read more