Connecticut Update (8/30/06)
Much has happened since the TrueVoteCT web site
was last updated, both in Connecticut and nationally.
Here's a brief guide to where we are now with respect
to new voting equipment and to issues currently
facing the state.
- Connecticut has chosen to buy Diebold
AccuVote-OS optical scanners to replace its lever
machines and to buy the IVS telephone voting system
to meet HAVA's accessibility requirements. (More...)
- The Secretary of the State has entered into a
Memorandum of Understanding with Dr. Alex
Shvartsman, a computer scientist at the University
of Connecticut, to conduct "Certification and
Acceptance Testing of Electronic Voting Equipment".
(More...)
- The currently-available models of the
AccuVote-OS scanner have known security
vulnerabilities that led NASED to take the
unprecedented step of withdrawing certification of
the vulnerable models unless specific mitigations
are implemented. (More...)
However, the State contract requires the vendor to
correct any security and/or functionality problems
within a year at no additional cost to the State,
so these problems should eventually get fixed.
- Beyond the specific vulnerabilities currently
identified in the AccuVote-OS, TrueVoteCT
recommends that the Secretary of the State
establish policies and procedures for the safe use
of all electronic voting technologies. (More...)
What's Next? (8/30/06)
The first big test of the new voting systems will
take place in the November elections, only a little
more than two months off. Many things need to be done
between now and then:
- Resolve State certification issues for the new
equipment. (More...)
- Update the Election Moderators Handbook to
include procedures and security mitigations
specific to the new equipment.
- Train poll workers and voters in the proper use
of the new equipment.
- Set up procedures to evaluate the performance
of the new equipment in an actual election.
Further on down the road, it is essential that
Connecticut strengthen existing mandatory audit
legislation to apply to all voting systems, not just
DRE systems as at present. A real strength of optical
scan systems is that the official record of voter
intent is the paper ballot marked by the voter.
However, in order to protect against electronic
tampering, it is essential that the machines be
audited by actually comparing their results with
independent counts of the paper ballots. TrueVoteCT
intends to work with the legislature in drafting
suitable legislation and helping see it through to
completion. (More...)
Secretary of the State Susan Bysiewicz announced
at a
press conference on August 5, 2006 that "her
office has entered into a contract with LHS Associates of
Massachusetts to provide optical scan technology
to replace lever voting machines across the state."
She went on to say, "Additionally, Connecticut will
meet the requirements of the Help America Vote Act
(HAVA) for the November election by entering into a
1-year contract with IVS, LLC to provide one
voting machine accessible to those with disabilities
in each polling place in the state."
This is good news. By choosing
optical scan equipment, the DRE
train wreck predicted in March 2005 has been
avoided and the recommendation made then to go with
optical scan equipment has been followed. This can be
seen as a
victory for TrueVoteCT and for all in the state
who are committed to fair and honest elections.
The equipment to be provided for replacing the
lever machines is the AccuVote-OS optical scanner,
made by Diebold Election
Systems, Inc., as specified in the
State contract. The company to which the press
release referred, LHS
Associates, "is the exclusive value-added
reseller of the Accu-Vote product line in the New
England area." The State has had a long and
productive relationship with LHS Associates. Although
the contract itself is not actually with LHS, the
office of the SOTS assures us that the State has an
understanding that Diebold will designate LHS to
carry out the provisions of the contract.
Secretary of the State Bysiewicz has entered into
a Memorandum of Understanding with Dr. Alex
Shvartsman and the University of Connecticut's
Department of Computer Science and Engineering to
conduct "Certification and Acceptance Testing of
Electronic Voting Equipment". Dr. Shvartsman was
awarded a $258,871 grant to review, among other
things, the July 4, 2005 report
by Finnish computer scientist Harri Hursti which
revealed serious security vulnerabilities in the
Diebold Precinct-Based Optical Scan 1.94w voting
system. It's good to learn that plans are in place to
test voting technology before it is certified, and
True Vote has confidence in Dr. Shvartsman's
ability and integrity.
The currently-available Diebold AccuVote-OS
optical scanner is similar to the machine that was
subject to the Hursti
attack and was mentioned specifically in the
Cal-Berkeley report as containing serious
security holes. Certain mitigations and
countermeasures need to be implemented before these
scanners are used in an election. Particular
attention needs to be paid to the recommendations of
the
Cal-Berkeley report and the
NASED Memory Card Report 03-22-06 which negates
the [Diebold] voting system's status as a
NASED-qualified voting system until four mitigations
are adopted for their safe use:
- Throughout the life of the voting system, the
election official shall maintain control of all
memory cards and keep a perpetual chain of custody
record for all of the memory cards used with the
system. Programmed memory cards shall be stored
securely at all times with logged accesses and
transfers.
- Immediately after the memory card is installed
in the voting station, the card shall be sealed
against unauthorized access. The voting station
shall not be set into election mode until after the
memory card is sealed inside.
- Use controlled serialized seals that are tamper
resistant and resistant to inadvertent breakage
along with verifiable seal logs.
- In post-election mode, print the results report
prior to removing the memory card from the optical
scanner. If additional reports other than the
results report are available, print these as
well.
This advisory applies to the scanners already in
use by a few towns in Connecticut as well as to the
currently-available scanners (version 1.96.6) to be
acquired under the new State contract. Before such
machines are used in Connecticut, the Moderator's
Handbook also needs to be updated to incorporate
these recommendations.
Many security vulnerabilities have been exposed in
electronic voting machines. The Brennan Center study
reveals that all electronic voting systems
are subject to a variety of attack scenarios, and
none can be considered safe until suitable
countermeasures to plausible attacks are implemented.
While it is tempting to label each new vulnerability
as an "oversight" or "design error" that can be
corrected, the problem actually goes much deeper than
that:
- All current computer equipment is designed to
allow for firmware and software upgrades. This is
necessary in order to allow design errors to be
corrected and to permit servicing of the machine if
the software for any reason becomes corrupted.
- There is currently no reliable way to determine
what firmware and software is actually running on a
voting machine on election day. This is because
access to the computer's memory is through the
firmware and software itself. If the software has
been corrupted, it can also corrupt the result of
any built-in self-checks.
Facts (1) and (2) above mean that the familiar
paradigms of testing and certification cannot ever
assure the reliability of the machines, no matter how
carefully done. There is simply no way to assure that
the machine running on election day, including both
hardware and software, is the same as the one that
was tested and certified. In light of these facts,
TrueVoteCT makes two recommendations for the
responsible use of any computerized voting
technology:
- It should be made as difficult as possible to
perform unauthorized updates to the hardware,
firmware, and software. This includes careful
chain-of-custody procedures, installation of
physical locks and seals on the equipment, removal
of remote-access devices such as wireless and
network cards from the machines, update procedures
that cryptographically verify the authenticity of
the updates before proceeding, and other measures
designed to ensure that updates are made only under
strictly controlled conditions and only with duly
approved and certified modifications.
- The correct operation of the equipment on
election day must be verified through suitably
designed random audit procedures. This step must
not be skipped. (More...)
Those who are interested in the security flaws
that have been discovered and that have led
TrueVoteCT to make the recommendations above are
urged to read the articles below:
The optical scan machines that are currently used
in several towns in Connecticut may not be properly
certified. The models that were certified by the
State were the Accu-Vote-2000 (and associated ES-2000
operating firmware Version 1.94f) of Global Election
Systems, Inc. We do not know if that exact model ever
received NASED certification. According to NASED, the
Accu-Vote ES-2000 was certified with firmware release
1.94W on 12-28-99. (See
ITA Approved Systems 1-03 to 11-03.) We do not
know if it was ever certified by NASED to firmware
version 1.94f. In any case, the latest firmware
version in use by NASED certified machines seems be
1.96.6. (Diebold currently has NASED certification
for no fewer than six different versions of their
precinct optical scanner — see
NASED Qualified Voting Systems 03-17-06.)
Confusing? You bet! To add to the confusion, we don't
know what version of the firmware is currently in the
machines now being used since their firmware may well
have been upgraded during maintenance, nor do we know
what functional changes were made from the original
versions.
Given the known vulnerabilities with both Optical
Scan and Direct Recording Electronic (DRE) voting
systems, it is essential that Connecticut adopt a
mandatory, statistically meaningful, random audit
requirement for all voting systems.
Through the efforts of True Vote and other groups,
the State has adopted
Public Act No. 05-188
(pdf), which requires a random audit procedure
for DRE machines. However, that bill does not cover
audit procedures for optical scan systems. True Vote
will work towards adoption of appropriate legislation
during next year's legislative session.
Audit legislation cannot be considered until
January 2007 when the next legislative session
begins. In order to assess the reliability of the new
equipment and to gain useful experience to inform the
eventual audit legislation, True Vote recommends
that a manual recount be taken for every new voting
machine placed in service for the November 2006
election.
A good audit procedure should involve the
following elements:
- A significant percentage of precincts or
machines should be selected for the audit.
- Selection of machines must be done publicly and
should use an accepted random process, similar to
that used in the CT lottery.
- Machines to be audited should not be selected
until after the polls close.
- Hand counting of the votes on the selected
machines should be done in public view, involving
poll watchers and election officials from both
parties, with tallies to be announced to all in the
room before any results are forwarded to the SOTS.
This should be done as soon as practicable
following the close of the polls.
Basic audit procedures are presented in greater
detail in the
Brennan Center report, pages 16–18.
Security in the News
In a
report issued on June 28, 2006, the Brennan Center
Task Force on Voting System Security finds
security vulnerabilities in all of
the three kinds of electronic voting machines being
adopted for use across the country: paperless DRE,
DRE with voter-verified paper trail, and precinct
optical scan. The latter type of system was recently
selected for use in Connecticut as a replacement for
the lever machines.
Three points emerge from the threat analyses
studied in the report:
- All three voting
systems have significant security and reliability
vulnerabilities, which pose a real danger to
the integrity of national, state, and local
elections.
- The most troubling
vulnerabilities of each system can be substantially
remedied if proper countermeasures are
implemented at the state and local level.
- Few jurisdictions
have implemented any of the key
countermeasures that could make the least
difficult attacks against voting systems much more
difficult to execute successfully.
The story of the Hursti Hack shows that all types
of electronic voting systems, including DRE systems
and optical scan systems, can be manipulated and
cannot be trusted. The only way to assure the
integrity of elections is to require a voter-verified
paper record---for optical scan systems the ballot
itself serves as the paper record---and to require
rigorous random audit procedures.
In June 2005 Harri Hursti, a Finnish computer
security expert, demonstrated that the Diebold
AccuVote OS system could be tampered with in such a
way as to manipulate the vote totals in a completely
undetectable manner. Since then several states have
confirmed the existence of the vulnerability.
For example, here is a description of the Hursti
Hack from page 7 of the December 22, 2005
Examination Results of the Diebold Election System's
AccuVote TSX Electronic Voting System, OS Optical
Scan Units, and GEMS Election Management Software
published by the Pennsylvania Department of
State:
“In June 2005, Finnish security expert Harri
Hursti demonstrated that the memory card used in
the AccuVote OS units can contain executable code,
and that furthermore, the scanners will execute the
code if it is present. Hursti was able to use this
fact to program a memory card so that it (1)
contained counters that were not zero and, in fact,
had counters with negative vote totals; (2)
produced a zero tape nevertheless; and (3) used the
negative counter values to subtract votes from
candidates and positive counter values to add votes
to candidates, which resulted in a complete
manipulation of the election. Note that if the sum
of the negative and positive counter values are
zero, the total number of votes tallied will
exactly match the total number cast, and nothing
will appear to be amiss. Hursti was able to
disguise the behavior so it would not be detected
in pre-election or post-election testing. (A manual
recount would reveal this.)”
More details about the vulnerabilities identified
by the Hursti Hack are available in the following
reports:
Common Cause recently released a report titled
Election Reform Malfunction and Malfeasance: A Report
on the Electronic Voting Machine Debacle. The
report focuses mainly on questions about the
reliability and integrity of paperless DRE machines,
pointing out that nearly 40% of voters are expected
to vote on such machines in the 2006 elections.
The report considers four major studies that
reviewed DRE security and reliability, all of which
found DRE machines:
“to be vulnerable to malfunction and also to
tampering in which a computer-savvy hacker with
minimal access to the machine could introduce
malicious code to the DRE software and change the
results of an election. Such manipulation could be
undetectable. In machines equipped with a modem, it
could even be done from a remote location.”
The report also summarizes seven reported
occasions since 2002 in which electronic machines
added or removed votes in real elections [in Texas,
North Carolina, Pennsylvania, Florida, Virginia, and
New Mexico], calling into question the final results
of a race.
The report makes many recommendations. Here are
some that we think are particularly relevant for
Connecticut:
- Congress should immediately pass HR 550,
“The Voter Confidence and Increased
Accessibility Act of 2005.”
- States should pass laws or adopt regulations
requiring all voting systems to produce a voter
verifiable paper ballot and mandate that at least a
random two percent of voting jurisdictions conduct
public audits of their voting systems.
- Election officials should take necessary steps
to safeguard machines prior to Election Day.
Verified
Voting released a preliminary
summary of states whose elections are at risk due
to well documented security vulnerabilities in
Diebold voting systems. The report shows that
27 states are at risk with varying degrees of
vulnerability. Those considered to be at highest risk
are nine states (GA, MD, IO, FL, VA, PA, IN, KS, TX)
that are using paperless Diebold TSx and TS machines.
States that have adopted voter-verified paper record
requirements are at somewhat less risk.
The vulnerabilities reported cited in the report
do not only affect Diebold equipment. According to
Verified Voting founder, David L. Dill, Professor of
Computer Science at Stanford University, "[t]here
will be an endless series of security holes, and not
just with Diebold equipment."
The report underscores the importance of two key
elements needed to assure the accuracy and integrity
of elections:
- Voter-verified paper records.
- Mandatory random audits of all voting
technology.
We couldn't agree more!
|