Avi Rubin on electronic elections in MD: rough going

[David Farber <dave () farber net>]

Begin forwarded message:

From: "Synthesis: Law and Technology"  
<synthesis.law.and.technology () gmail com>
Date: September 13, 2006 10:40:44 PM JST
To: dave () farber net
Subject: Re: [IP] Avi Rubin on electronic elections in MD: rough going

Dave,

This made for a great morning read. I can't decide if I was more  
struck by passion and dedication of Avi Rubin and the fellow judges  
for the democratic process that day or by the thought that paper  
voting would probably have made their days (and nights) a lot  
easier.   When examined from a systems perspective it should be  
simple to implement.  When examined from a legal/regulatory  
perspective its seems equally benign (certainly less difficult than  
the process of registering for courses at university these days).   
Why am I thinking that I should be investing in pulp&paper stocks  
before elections?   Surely the job of democracy can be made easier?


Dan Steinberg

SYNTHESIS:Law & Technology
35, du Ravin phone: (613) 794-5356
Chelsea, Quebec
J9B 1N1


On 9/13/06, David Farber <dave () farber net> wrote:

Begin forwarded message:

From: Joseph Lorenzo Hall <joehall () gmail com >
Date: September 13, 2006 1:37:15 PM JST
To: Dave Farber <dave () farber net>
Subject: Avi Rubin on electronic elections in MD: rough going
Reply-To: joehall () pobox com

http://avi-rubin.blogspot.com/2006/09/my-day-at-polls-maryland-
primary-06.html
(or, in a tiny URL: http://tinyurl.com/gngb5 )

My day at the polls - Maryland primary '06

by Avi Rubin (JHU, ACCURATE)

(internal links omitted. -JLH)

I don't know where to start. This primary today is the third election
that I have worked as an election judge. The last two elections were
in 2004, and I was in a small precinct in Timonium, MD. This time, I
was in my home precinct about 1/2 a mile from my house. We had 12
machines, over 1,000 voters and 16 judges. I woke up at 5:30 in the
morning and was at the precinct before 6:00. It is now 10:18 pm, and I
just got home a few minutes ago. As I have made it my custom, I sat
down right away to write about my experience while everything was
still fresh. In anticipation of this, I took some careful notes
throughout the day.

The biggest change over the 2004 election was the introduction of
electronic poll books that we used to check in voters. I was
introduced to these in election judge training a few weeks ago. These
are basically little touchscreen computers that are connected to an
Ethernet hub. They each contain a full database of the registered
voters in the county, and information about whether or not each voter
has already voted, in addition to all of the voter registration
information. The system is designed so that the machines constantly
sync with each other so that if a voter signs in on one of them and
then goes to another one, that voter will already be flagged as having
voted. That was the theory anyway. These poll books turned out to be a
disaster, but more on that later.

Around 7:15, when we had been open for business for 15 minutes
already, a gentlemen shows up saying that he is a judge from another
precinct nearby and that they did not receive any smartcards, so that
they could not operate their election. We had 60 smartcards, and the
chief judge suggested that we give them 20 so that they could at least
get their election started. As she was handing them over, I suggested
that we had to somehow verify his claim. After all, anyone could walk
in off the street and claim this guy's story, and we would give them
20 access cards. The chief judge agreed with me. The guy pulled out
his driver's license to prove who he was, but I told him that we were
not doubting who he was, we just wanted to verify that we should give
him the cards. He seemed to understand that. After calling the board
of elections, we were told to give him the cards and we did. A little
later, several voters who came in informed us that news reports were
saying that in Montgomery county, there was a widespread problem of
missing smatcards. I could only imagine what a nightmare that was for
those poll workers because as it was, our precinct did not have this
problem, and as you'll see, it was still tough going.

My precinct uses Diebold Accuvote TS, the same one that we analyzed in
our study 3 years ago. The first problem we encountered was that two
of the voting machine's security tag numbers did not match our
records. After a call to the board of elections, we were told to set
those aside and not use them. So, we were down to 10. We set up those
machines in a daisy chain fashion, as described in the judge manual,
and as we learned in our training. We plugged the first one into the
wall and taped the wire to the floor with electric tape so nobody
would trip over it. About two hours into the voting, I noticed that
the little power readout on the machines was red, and I thought that
this meant that the machines were on battery power. I pointed this out
to one of the chief judges, but she said this was normal. An hour
later, I checked again, and this time, the machines were on extremely
low power. This time, I took the plug out to of the wall and tried
another outlet nearby. The power icon turned green. I showed several
of the judges, and we confirmed that the original outlet was indeed
dead. Had I not checked this twice, those machines would have died in
the middle of the election, most likely in the middle of people
voting. I hate to think about how we would have handled that. A couple
of hours later, the board of elections informed us that we should use
the two voting machines with the mismatched tags, so we added them and
used them the rest of the day (!).

When we were setting up the electronic poll books, I took over because
I was more comfortable with the technology, and the others quickly
deferred to me. So, a couple of hours into the election, when one of
the poll books seemed to be out of sync with the others, the judges
came and brought me to have a look. It appeared that this poll book
was not getting synced with the others. I tested it by waiting for
someone to sign in with a different poll book, and then a few minutes
later trying to sign in that voter on the one in question. The voter
was shown as having not voted yet. I repeated this test for about 20
minutes, but it never registered that voter as having voted, and the
poll book was falling behind - about 30 by then - the other poll book
machines. I suggested rebooting that machine, and we tried that, but
it did not change anything. I pointed out to the chief judges who were
huddled around me as I experimented, that as time went by, this poll
book was going to fall further and further behind the others, and that
if someone signed in on the others, they would be able sign in again
on this one and vote again. After a call to the board of elections, we
decided to take this one out of commission. This was very unfortunate,
because our waiting lines were starting to get very long, and the
check-in was the bottleneck. The last few hours of the day, we had a
45 minute to an hour wait, and we had enough machines in service to
handle the load, but it was taking people too long to sign in.

The electronic poll books presented an even bigger problem, however.
Every so often, about once every 15-25 minutes, after a voter signed
in, and while that voter's smartcard was being programmed with the
ballot, the poll book was suddenly crash and reboot. Unfortunately,
the smartcard would not be programmed at the end of this, so the poll
worker would have to try again. However, the second time, the machine
said that the voter had already voted. The first few times this
happened, we had some very irate voters, and we had to call over the
chief judge. Soon, however, we realized what was happening, and as
soon as the poll book crashed, we warned the voter that it would come
up saying that they had already voted, but that we knew they hadn't.
Then, the chief judge would have to come over, enter a password, and
authorize that person to vote anyway. Then we had to make a log entry
of the event and quarantine the offending smartcard. Unfortunately,
the poll books take about 3 minutes to reboot, and the chief judges
are very scarce resources, so this caused further delays and caused
the long line we had for most of the afternoon and evening while many
of the machines were idle. Another problem was that the poll book
would not subtract a voter from its total count when this happened, so
every time we had an incident, the poll book voter count was further
off the mark. We had to keep track of this by hand, so we could
reconcile it at the end of the day.

At times, the remaining two poll books were way out of synch, but
after a while, they caught up with each other. When the lines got
really long, we considered the idea of trying to use the third one
that had caused problems, but we all agreed that we would feel very
stupid if all of them started crashing more. I was worried that
synching three of these on an Ethernet hub was more complex than 2,
and in fact, they were crashing a bit less often when we had only 2.
The whole time I was worried about what we would do if these thing
really died or crashed so badly and so often that we couldn't really
use them. We had no backup voter cards, so the best we could have done
would have been to start letting everybody vote by provisional
ballots. However, we had two small pads of those ballots, and we would
have run out quickly. I can't imagine basing the success of an
election on something so fragile as these terrible, buggy machines.

Throughout the early part of the day, there was a Diebold
representative at our precinct. When I was setting up the poll books,
he came over to "help", and I ended up explaining to him why I had to
hook the ethernet cables into a hub instead of directly into all the
machines (not to mention the fact that there were not enough ports on
the machines to do it that way). The next few times we had problems,
the judges would call him over, and then he called me over to help.
After a while, I asked him how long he had been working for Diebold
because he didn't seem to know anything about the equipment, and he
said, "one day." I said, "You mean they hired you yesterday?" And he
replied, "yes, I had 6 hours of training yesterday. It was 80 people
and 2 instructors, and none of us really knew what was going on." I
asked him how this was possible, and he replied, "I shouldn't be
telling you this, but it's all money. They are too cheap to do this
right. They should have a real tech person in each precinct, but that
costs too much, so they go out and hire a bunch of contractors the day
before the election, and they think that they can train us, but it's
too compressed." Around 4 pm, he came and told me that he wasn't doing
any good there, and that he was too frustrated, and that he was going
home. We didn't see him again.

I haven't written at all about the Accuvote machines. I guess I've
made my opinions about that known in the past, and my new book deals
primarily with them. Nothing happened today to change my opinion about
the security of these systems, but I did have some eye opening
experiences about the weaknesses of some of the physical security
measures that are touted as providing the missing security. For
example, I carefully studied the tamper tape that is used to guard the
memory cards. In light of Hursti's report, the security of the memory
cards is critical. Well, I am 100% convinced that if the tamper tape
had been peeled off and put back on, nobody except a very well trained
professional would notice it. The tamper tape has a tiny version of
the word "void" appear inside it after it has been removed and
replaced, but it is very subtle. In fact, a couple of times, due to
issues we had with the machines, the chief judge removed the tamper
tape and then put it back. One time, it was to reboot a machine that
was hanging when a voter was trying to vote. I looked at the tamper
tape that was replaced and couldn't tell the difference, and then it
occurred to me that instead of rebooting, someone could mess with the
memory card and replace the tape, and we wouldn't have noticed. I
asked if I could play with the tamper tape a bit, and they let me
handle it. I believe I can now, with great effort and concentration,
tell the difference between one that has been peeled off and one that
has not. But, I did not see the judges using that kind of care every
time they opened and closed them. As far as I'm concerned, the tamper
tape does very little in the way of actual security, and that will be
the case as long as it is used by lay poll workers, as opposed to CIA
agents.

As we were computing the final tallies towards the end of the evening,
one of the Diebold machines froze. We had not yet printed the report
that is used to post the results. One of the judges went to call the
board of elections. She said she was transfered and then disconnected.
We decided to do a hard reboot of it after we closed down the other
machines. When we finished the other machines, we noticed that the
problem one had somehow recovered, and we were able to finish. Strange
because it was frozen for about 10 minutes.

So, this day at the polls was different from my two experiences in
2004. I felt more like an experienced veteran than a wide eyed newbie.
The novelty that I felt in 2002 was gone, and I felt seasoned. Even
the chief judges often came to me asking advice on how to handle
various crises that arose. Several other suggested that I should apply
to be a chief judge in the next election cycle, and I will probably do
that. The least pleasant part of the day was a nagging concern that
something would go terribly wrong, and that we would have no way to
recover. I believe that fully electronic systems, such as the precinct
we had today, are too fragile. The smallest thing can lead to a
disaster. We had a long line of "customers" who were mostly patient,
but somewhat irritated, and I felt like we were not always in a
position to offer them decent customer service. When our poll books
crashed, and the lines grew, I had a sense of dread that we might end
up finishing the day without a completed election. As an election
judge I put aside my personal beliefs that these machines are easy to
rig in an undetectable way, and become more worried that the election
process would completely fail. I don't think it would have taken much
for that to have happened.

One other things struck me. In 2004, most voters seemed happy with the
machines. This time around, many of them complained about a lack of a
paper trail. Some of them clearly knew who I was and my position on
this, but others clearly did not. I did not hear one voter say they
were happy with the machines, and a dozen or so expressed strong
feelings against them.

I am way too tired now (it's past 11 pm) to write any kind of
philosophical ending to this already too long blog entry. I hope that
we got it right in my precinct, but I know that there is no way to
know for sure. We cannot do recounts. Finally, I have to say a few
words about my fellow poll workers. We all worked from 6 a.m. to past
10 p.m. These volunteers were cheerful, pleasant, and diligent. They
were there to serve the public, and they acted like it. I greatly
admire them, and while the election technology selection and testing
processes in this country makes me sick, I take great hope and
inspiration from a day in the trenches with these people.

--
Joseph Lorenzo Hall
PhD Student, UC Berkeley, School of Information
< http://josephhall.org/>


-------------------------------------
You are subscribed as synthesis.law.and.technology () gmail com
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting- 
people/



--

-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/