Posted on 03/04/2004 3:58:48 PM PST by irv
It is now 10:30 pm, and I have been up since 5 a.m. this morning. Today, I served as an election judge in the primary election, and I am writing down my experience now, despite being extremely tired, as everything is fresh in my mind, and this was one of the most incredible days in my life.
I first became embroiled in the current national debate on evoting security when Dan Wallach of Rice University and I, along with Computer Scientist Yoshi Kohno and my Ph.D. student Adam Stubblefield released a report analyzing the software in Diebold's Accuvote voting machines.
Although there were four of us on the project, perhaps because I was the most senior of the group, the report became widely associate with me, and people began referring to it as the "Hopkins report" or even in some cases the "Rubin report". I became the target of much criticism from Maryland and Georgia election officials who were deeply committed to these machines, and of course, of the vendor. The biggest criticism that I received was that I am an academic scientist and that academics do not "know siccum" about elections, as Doug Lewis from the Election Center put very eloquently.
While I dispute many of the claims that computer scientists working on e-voting security analysis are deficient in their knowledge of elections, I realized that there was only one way to stifle this criticism, and at the same time to perform a civic duty. I volunteered to become an election judge in Baltimore County. The first step was to get signed up. I filled out a form at a local grocery store and waited for a call from the Baltimore County Board of Elections. The call never came. So, I called up the board and spoke with the head of elections and found out that there was a mandatory training session a couple of days later. I got on to the list for the training, and I attended. There, I learned that my entire county would be voting with Diebold Accuvote TS machines, the very one that we had analyzed in our report. It was an eery feeling as I trained for 2 hours on every aspect of using the machine and teaching others how to use them. Afterwards, I received a certificate signed by the board of elections and became a qualified judge. I was supposed to receive a phone call within a few days assigning me to a precinct, but I did not. So, I called up the board of elections and spoke with the same woman, who assigned me to a precinct at a church in Timonium, MD, about 15 minutes from my house.
I reported to my precinct at 5:45 a.m. this morning. Introductions began, and I immediately realized that it would not be a normal day. There are two head judges, one from each party. There were also seven other judges. The head judges were Marie (R) and Jim (D). Both of them mentioned that they read about me in the paper that morning, and were pretty cold towards me. It turns out that the Baltimore Sun ran a story today about my being an election judge. In there, I'm quoted as saying that the other judges in my training were in the "grandparent category" with respect to their age. My colleagues for the day, who were in that category as well, did not appreciate the barb and were ready to spar with me.
There are three types of judges besides the head judges. There are four book judges, one from each party with A-K and one from each party with L-Z. There is one judge assigned to provisional ballots, and a couple of unit judges charged with assigning voters to particular machines. I was the L-Z democrat book judge, along with Andy, a grandfather of many, a staunch Republican, and a fellow I grew very fond of as the day went on. To my left were Anne, the Republican judge married to Andy, and Sandy. Actually, there were two Sandys. One began as a unit judge, but early on switched with the other Sandy to be the democratic book judge on A-K. Bill was the provisional judge, and he is married to head judge Marie. And then there was Joy. One of the Sandys, Joy and I were the three younger judges who did not fit into the grandparent category.
Joy was by far the most knowledgeable about the election. She had trained dozens of groups on the Diebold machine, and she knew all of the procedures inside and out. The head judges deferred to Joy on just about every major issue that came up. She knew our manuals by heart, and we were very lucky to have her there. In reality, all of us helped with all of the jobs, but we had our default assignments.
The job of the book judge is to look up each voter in a card deck and find their registration card. If there wasn't one, then there were procedures for handling them. Once we found the card, we cross checked it with our roll booklet. For the most part this process went smoothly. I wore a string around my neck with a little electronic sleeve on the end. After a voter was verified as registered, I slid a smartcard into the sleave and pushed a few buttons to designate whether or not this voter should receive a Democrat or Republican ballot, based on their registration, and there was also an option for specifying magnification of the ballot on the screen, or even audio for blind people.
From 6-7 a.m., we set up the voting booths. We had to unplug all of them because they were facing the wrong way. We then rearranged them and plugged them back in. Each machine has a 5 hour battery, so this process went without a hitch. Pretty much all of the judges knew who I was and what my role has been as a very public critic of electronic voting and Diebold in particular. At around 6:30, representatives from Diebold arrived, and although my badge said "Avi" on it, I heard them refer to me as Professor Rubin, so I knew that they knew exactly who I was. In fact, some of the very senior Diebold executives who I recognized showed up, which makes me think that they knew I would be there, perhaps based on the Baltimore Sun article.
At 7 a.m., we opened the polls, and head judge Jim cast the first vote, to a round of applause from all of us. Voters trickled in, but at a slow pace. I felt some hostility from my fellow judges. This was not helped by what transpired next. A TV crew from Fox News showed up at the polls and asked the head judge if they could interview me. The head judge called a "super" judge at the county and came back and said no. The reporter asked to speak to the super judge, named Jackie, and was obviously not getting anywhere. She left rather angry, with a nasty exchange with head judge Jim and some unpleasant words with head judge Marie. I felt very uncomfortable. At that moment, there were no more voters in the room, and I offered to everyone in the room that I was not here to pull a publicity stunt, and that I would agree not to speak with any reporters throughout the day. This was a serious responsibility and duty that I took with the utmost respect for the system, and I would not let it turn into a mockery. A few minutes later, though, a photographer from the Baltimore Sun showed up with a reporter in tow. The same routine happened, only this time, they allowed the photographer to take pictures of me working and checking in voters and programming smartcards. However, they would not let the reporter talk to me. An angry exchange ensued, and when he left, I felt that tempers were pretty hot.
Once again, I reiterated my intensions of being nothing more than an objective judge today. The situation was worsened when one voter had a problem with his card which the voting machine spit out. He was given a new card, but I was concerned, and so I asked head judge Marie to count the ballots and check them against the count in the machine after he left. She did, and the count was fine. The smartcard really had failed and it was fixed. However, I overheard head judge Jim complain to Joy that I had made a big deal about that incident because the Baltimore Sun reporter was there. That was not true. It was a coincidence.
Over the next several hours, we all were busy checking in voters and dealing with running the election. Everybody calmed down, and we started joking around with each other and the mood became more positive. We only had one other minor press incident during the day. During breaks, I decided to educate Marie and Joy about the security problems of electronic voting machines. Amazingly, they really started to get it. They confessed that they had been ready to fight me, and that there was great animosity towards me, but that, in their words, I wasn't "such a bad guy after all". At the same time, I started realizing that some of the attacks described in our initial paper were actually quite unrealistic, at least in a precinct with judges who worked as hard as ours did and who were as vigilant. At the same time, I found that I had underestimated some of the threats before. I think that being an election judge was the best thing I could have possibly done to learn about the real security of elections.
In our paper, we described how the smartcards used by these machines had no cryptography on them, and we made the widely criticized claim that a teenager in a garage could manufacture smartcards and use them to vote 20 times. I now believe that this particular attack is not a real threat -- at least not in the primary I worked today. We had 9 judges and 5 machines. Whenever a voter took what seemed to be too long, we always had a judge ask them if they needed help, or if something was wrong. Also, the machines make a loud clicking sound when the smartcard is ejected, and we almost always had a judge standing there waiting to collect the card and give the voter a sticker, as they are ushered out.
In general, multiple voting attacks during the election are not likely to work in a precinct such as the one where I worked. Every hour or so, we counted all of the voter authorization cards (different from the smartcards), which were in an envelope taped to the machine, and compared them to the number of votes counted by the machine so far. I believe that if any voter somehow managed to vote multiple times, that it would be detected within an hour. I have no idea what we would do in that situation. In fact, I think we'd have a serious problem on our hands, but at least we would know it.
Every hour, we also counted the totals on the machines and compared them to the totals in the registration roster that we used to check people in. I was amazed at the number of countings and pieces of paper that we shuffled throughout the day in what was billed as a paperless electronic election.
There were also some security issues that I found to be much worse than I expected. All of the tallies are kept on PCMCIA cards. At the end of the election, each of those cards is loaded onto one machine, designated as the zero machine. (I found it interesting that Diebold numbered the machines 0 through n-1, disproving my notion that they don't have anyone on board who knows anything about Computer Science.) The zero machine is then connected to a modem, and the tallies are sent to a central place, where they are incorporated with the tallies of other precincts. In our case, the phone line was not working properly, so we went to the backup plan. The zero machine combined all the tallies from the PCMCIA cards that were loaded one at a time onto the machine. It then printed out the final tallies. One copy of that went onto the outside door of the building where there were talliers and poll watchers eagerly waiting. The other was put into a pouch with all of the PCMCIA cards, each wrapped in a printed tally of the machine to which it corresponds, and that pouch was driven by the two head judges to the board of elections office.
The security risk I saw was that Diebold had designated which machine would be the zero machine, and at one point, all of the vote tallies were loaded onto that one machine in memory. That would be the perfect point to completely change the tallies. There is no need to attack all of the machines at a precinct if someone could tamper with the zero machine. In fact, even when the modem is used, it is only the zero machine that makes the call. In the code we examined, that phone call is not protected correctly with cryptography. Perhaps that has been fixed. I was glad to see that the administrator PIN actually used in the election was not the 1111 that we used in our training, and that we had seen in the code.
One thing absolutely amazed me. With very few exceptions, the voters really LOVED the machines. They raved about them to us judges. The most common comment was "That was so easy." I can see why people take so much offense at the notion that the machines are completely insecure. Given my role today, I just smiled and nodded. I was not about to tell voters that the machines they had just voted on were so insecure. I was curious that voters did not seem to question how their votes were recorded. The voter verifiability that I find so precious did not seem to be on the minds of these voters. One woman did come up to Joy and complain that she wanted a paper ballot to verify. But, Joy managed to convince her that these machines were state of the art and that there was nothing to worry about, which was followed by a smile and a wink in my direction. I just kept quiet, given the circumstances. As an election judge, my job is to make the election work as well as possible, and creating doubts in the voters' minds at the polls does not figure into my idea of responsible behavior. Perhaps the lightest moment in the day came when one voter standing at his machine asked in the most deadpan voice, "What do I do if it says it is rebooting?" Head judge Marie turned white, and Joy's mouth dropped. My heart started to beat quickly, when he laughed and said "just kidding." There was about a two second pause of silence followed by roaring laughter from everyone.
I found the reaction to that joke interesting. Everybody was willing to believe that this had happened, and yet when it became clear that it didn't, we all felt relief. I'm sure that the other judges would have claimed that this was impossible, and yet, for a brief instant, they all thought it had happened.
There were a few unusual moments related to my previous work on e-voting. Several people recognized me from TV appearances and from the paper. Yesterday, I was on two CNN shows and the local ABC station criticising Diebold's voting machines, and last week, I was on the Today show and on TechTV. One voter who I was checking in, leaned over and said, "I know who you are." I just smiled. Then he asked me if he should even bother voting, and if I thought the machines would "hold out". I answered that my views were well known, but that today I was an election judge. Another voter asked me, "Aren't you that hacker guy?"
In the beginning of the election, we printed a "zero tape" of each machine. I found this to be the kind of charade that a confidence man would play when performing some sleight of hand. So, the machines printed each candidates name with a zero next to it. Somehow, that is supposed to mean that there are no votes counted on the machine? I don't know. I think I could write a five line computer program that would print the zero tally, and I don't see how that ties into the security of the election. In fact, that was not the only procedure that I thought served more as eye candy than real security. For example, the process for collecting the smartcards was for the unit judge to take the card from the voter and put it on a piano that was across the room. Every 15 minutes or so, the unit judge would take the cards and give them back to us book judges. When a Diebold rep showed up, I asked her about this, and she said that it was done to give the voters a sense that nothing was being kept on the smartcards about their voting session. After my experience today, I can say with total confidence that this would not have ocurred to any of the voters we had.
There was a very funny moment around 2:00 in the afternoon. A voter complained that she was a Democrat but had been given the Republican ballot. This required both head judges to void the ballot. It turned out that this had been my mistake when I coded the smartcard. In fact, I was the only one the entire day who made such a mistake. The less than young judges had a good time constantly reminding me of who the careless judge was at this election. One of them commented to me that there are many young people who are incompetent and many old people who can manage an election just fine, thank you.
I continue to believe that the Diebold voting machines represent a huge threat to our democracy. I fundamentally believe that we have thrown our trust in the outcome of our elections in the hands of a handful of companies (Diebold, Sequoia, ES&S) who are in a position to control the final outcomes of our elections. I also believe that the outcomes can be changed without any knowledge by election judges or anyone else. Furthermore, meaningful recounts are impossible with these machines.
I also believe that we have great people working in the trenches and on the front lines. These are ordinary people, mostly elderly, who believe in our country and our democracy, and who work their butts off for 16 hours, starting at 6 a.m. to try to keep the mechanics of our elections running smoothly. It is a shame that the e-voting tidal wave has a near hypnotic effect on these judges and almost all voters. I believe that after today's experience, I am much better equipped to make the arguments against e-voting machines with no voter verifiability, but I also have a great appreciation for how hard it is going to be to fight them, given how much voters and election officials love them.
We were not allowed to use cell phones or access email all day. On my way home from the polls, I called my voicemail at work. I had messages and requests for interviews from ABC News, the Baltimore Sun, the Washington Post, Wired News, CNN, several radio stations and the New York Times. So, this issue is not going away. Over the next few days, I'll be discussing my experience and probably sparring with the usual suspects in the various media outlets. My biggest fear is that super Tuesday will be viewed as a big success. By all accounts, everyone at my precinct felt that way. The more e-voting is viewed as successful, the more it will be adopted, and the greater the risk when someone decides to actually exploit the weaknesses of these systems.
It's now almost midnight, and I've been up since 5:00 a.m. I'm falling asleep as I type this, so I will end here. Good night.
They are 1) "motor voter", and 2) the laws that allow the mentally deficient, "disabled" (insert whatever term you like, I'll describe what I'm talking about in a moment) to "vote" via "assistants" who "help them vote."
Now, before anyone gets all snippy, here's what I'm talking about. A few years ago, I lived in a town that had a large state facility. The facility changed names every few years, becoming increasingly Orwellian with each succeeding wave (and man, they sure are succeeding!) of Political Correctness. It started out as "The State Home" (itself a euphemism). Later, it was "The Regional Center for Developmental Disabilities". Last I heard, it was "The Center for Human Development".
Nice lofty terms, eh? Sounds almost like a think-tank. In reality, it was quite the opposite. It was the place that the state housed those who were born with the most tragic "disabilities" imaginable. The sort of almost frightening birth defects that society chooses to hide from itself, to pretend do not exist. I'm talking about people who are in a very real sense not "people". People who were born essentially without a brain. Just enough of a brainstem to allow them to breath and maintain basic life support. No cognition, no "speech" -- unless you consider loud, random, gutteral grunts and screeches to be "speech".
Now, here's the kicker.
These people vote!
How on Earth, you might ask, can people without any cerebral tissue manage to vote/i>?
That's a good question. And, as fate would have it, it's a question that's been addressed by the law.
They "vote" by having an "assistant" drive a shortbuss load of them to the polling place, wheel them inside, and then proceed to "assist" them to "vote".
Get the picture yet?
These tragic cases are used as tokens, for unionized state-employed socialworker types to cast votes en masse.
It made it into the local paper -- once -- when someone who saw it happening was outraged, and contacted the rag. As far as I know, that was the end of it. I presume the practice continues, and, I presume it is not restricted to that one community.
In fact I'd be surprised if it's not happening all over the country.
And, I'd be surprised if it's not limited to people afflicted with such dramatically obvious "issues."
I'd be surprised if it's not happening anywhere you've got large numbers of people who are sufficiently "disabled" to be unaware that someone is voting "on their behalf." The profoundly retarded, institutionalized mentally ill, etc.
I don't expect to be surprised.
As to the topic of vote-counting software, anyone who even suggests it's complex code is IMO immediately suspect. Tallying up lists of numbers via simple addition is not even "CS101" level "programming". It's more like, "Introduction to Computers" type stuff.
Now, adding the crypto protection is a bit harder, but it doesn't make the actual tallying any harder.
In short, if Rubin (the "R" in "RSA") is concerned with the black magic going on inside those boxes, then everyone should be concerned.
But, as I said above, there's plenty to be concerned with apart from electronic tallying -- and no one seems very concerned about it. Working up a sweat over potential for fraud over e-voting while disregarding the fraud potential with motor-voter and "assisted voting" is like leaving your lifeboat and climbing back onto the Titanic because you forgot to shut off the faucet in your stateroom.
Well, considering the fact that "this guy" is one of the three fathers of modern crypto, I'd think it might be worth listening to what he has to say on the matter.
Coffee... need coffee...
(Just for the record, my brainfarts notwithstanding, Avi Rubin is a heavy-hitter in the field.)
Cyclic Redundancy Check, Time of Day.
The first is a method of detecting if the contents of a piece of data have been tampered with, sort of like a checksum, but more robust. The second is self-explanatory.
No, really? You mean you really wouldn't think they would try to fix any bugs??? Noooooo...
I was glad to see that the administrator PIN actually used in the election was not the 1111 that we used in our training, and that we had seen in the code.
No sh$% sherlock. When in training, the PIN can be anything you want. Geez, when we are developing we give everyone full access, but does everyone have full access in production???
And this guy is a computer science pro!!! The guys a lacky who knows nothing about the real world and only lives in his philosophical utopia.
Exactly right. The idea of an 'almost-unforgeable' ID card, with some biometric verification, offends the Civil-Liberties purists, but I can't get too excited about it, and it would solve a lot of problems with voter-fraud, terrorists, illegal aliens, identity theft, etc.
I expect to get flamed by the purists, so have my asbestos suit on.
The wrong person alone with the machines for just a few minutes and another precinct is cooked. Yup.
I happen to know that you are 100% correct here due to the fact that my aunt works in just such a facility. She told me how she "helps" them vote. (But hey, don't worry, because the people there decide, the social workers "explain" to them what each candidate is about.... ;-)
Look, given untrustworthy poll workers? Of course.
Untrustworthy poll workers can do a whole lot more damage if the ballots are punch-cards than if they are paper ballots which voters mark with a pen. (See 2000, "dimpled chads".) Untrustworthy poll wokers can do a whole lot more damage if ballots are electronic, than if they are punch-cards. Essentially, the potential for poll worker fraud is magnified exponentially, the more sophisticated and "mass" technology that is used.
That is why I advocate paper ballots.
Nowhere did I say I wouldn't keep a better eye on poll workers if necessary. Of course I would. But "there could be dishonest poll workers!!" is not an argument against paper ballots per se. It is an argument against, first of all, trusting poll workers too much. It is also an argument against voting systems which leave no paper trail, and/or whcih render ballots too identical/interchangeable/computer-friendly, and/or on which all tallies are kept on computer and can be spoofed by the push of a button. In other words it is an argument against systems other than paper ballots.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.