I’ve never really bought the conspiracy story surrounding the Diebold voting machine stuff. I’ve been happy that the issue has been raised (and even happier that the battle about copyright that Diebold’s effort at censoring criticism created also created the Free Culture movement at Swarthmore, and now spreading).
But if this story is true, I will have to rethink my view. As reported at Blackboxvoting:
By entering a 2-digit code in a hidden location, a second set of votes is created. This set of votes can be changed, so that it no longer matches the correct votes. The voting system will then read the totals from the bogus vote set. It takes only seconds to change the votes, and to date not a single location in the U.S. has implemented security measures to fully mitigate the risks.
Is this really true?
If you aren’t sure that electronic voting related machines should be subject to more scrutiny, read:
http://www.inthesetimes.com/site/main/article/978/
It details a lot of errors which _were_ found. Who knows how many were not found.
Clearly there have been enough problems to make the elections officals’ claim that they machines don’t need a paper record because they are perfect fairly rediculous.
No, the story isn’t true. Now do you feel better?
if “open” means anything, it must mean that the voting process is as transparent as any individual vote is secret. plainly, non governmental institutions ought to be able to see into the voting process, including but not limited to the issues of code asserted in these various sources. surely this is at least as important as copyright limitations, or open access to networks. indeed, if the upcoming election is as flawed as the 00 election, one can hardly imagine any real reform being possible in other areas.
I have seen Bev Harris’ demo of GEMS twice, and I believe that all of the vulnerabilities she cites are indeed real. None of them are “bugs” in the sense ordinary programmer errors. Some of them are designed-in features (like the one she calls a “double set of books”), while other are best described as consequences of security cluelessness. The other misfeatures she points to, such as accessibility of the server by modem, the ability of anyone with access to the server to modify the vote database by any of several surreptitious means, or to change passwords trivially, or to edit the server log (which is supposed to be an audit trail), are all sadly real.
Where I depart from Bev is in the interpretation of these “features”. She refers to the two or more variant copies of the precinct-indexed vote table as a “double set of books” and invokes a “principle” of accounting that there is no valid reason for a double set of books–that it is always a sign of embezzlement. I think there are numerous reasons why one might think it a good idea to make adjustments in the vote totals and keep them in a separate copy, keeping the unadjusted values at the same time. Not good reasons, mind you–there are better ways to accomplish this, such as storing deltas instead. However, although I think the design used here is poor, I do not think it was deliberately intended for fraud.
The “two letter code” phrase is also misleading as far as I can tell. There is a column of switches parallel to the precinct vote tables. In each case, if the switch is 0, the primary precinct value is used in reports and sums; when it is -1, the corresponding value from the secondary table is used. I specifically asked Bev about this, and the “two letter code” refers to the two-character string “-1”. My interpretation is that -1 is not so much a “code” as a representation for the Boolean value “true”, in contradistinction to 0 representing “false”, a common programming convention.
Now, this is bad design, because it allows arbitrary alterations in vote totals to be sloppily done, and also unlogged. It is certainly a mechanism that can be used to commit, and possibly hide, vote fraud. But I do not see any reason to believe it was intended for that. I believe, for a number of reasons too long to detail here, that it more likely represents egregiously clueless design.
As David noted above, most of the most serious holes in the Diebold systems are, in fact, “features”. The ease with which a local worker was able to “perform some fancy footwork” on the Access database in a recent election here was touted as a good thing in the Diebold memos that the company was suing over. First off, if the system worked correctly, the “fancy footwork” would not have been needed. Second, in order for a voting system to work, a system MUST have a full trial, whether paper or electronic. Diebold’s systems do not and that is an extremely serious danger to the integrity of any election the machines are used in.
Regarding your ideas about the conspiracy, Mr. Lessig, please read the Diebold memos that started all of this and note that the lawsuits filed by Diebold were not defamation or libel or slander. They sued for copyright violation. To me (please correct me if I am wrong), that means the memos are, in fact, true. If that is the case, read the memos and decide for yourself if this company should be able to go anywhere near our votes.
As a programmer, I refuse to believe their failures are due to the requirements of the task at hand. As a voter, I refuse to believe their machines are safe. As a somewhat informed citizen, I doubt I will ever trust them after the stunts they have pulled in the past few years.
How much you wanna bet that the two digit code is “43”?
joe, did you mean 42?
wait, 42 implies good programmers 🙂 oh well. hopefully 44.
“As a programmer, I refuse to believe their failures are due to the requirements of the task at hand.”
I agree absolutely. Case in point: the other kind of large-scale, government-run, anonymous, dual-redundant, fully auditable, real-time transaction systems – namely, state lotteries. The technology itself is not the problem.
Even if the back door were not wide open, the cryptography used is not appropriately strong. If the two-digit code thing is true, then middle school lockers are hundreds of times more secure than our election system. Interestingly, the CA Attorney General dismissed possible criminal charges against Diebold.
The serious doubts raised about computerized voting systems, along with reports of FL’s attempts to modify the registered voter lists in favor of Republicans, raise the question of what can be done after the fact, when the vote totals in FL favor Mr. Bush–as now seems inevitable. Or can the Democrats seek a preliminary injunction now? I would think that the discovery possible through litigation would be the best possibility for uncovering programming fraud.
At the start of things, Bev went into the Diebolt system and pointed out her concerns to a variety of people and groups, including Diebolt. Concern about Diebolt’s intentions grew in huge proportions when Diebolt, instead of behaving cooperatively, acted defensively by attempting to negate the criticism, then by attempting to stonewall further with the attempt to keep critics from finding futher problems. I don’t trust Diebolt, I don’t like using a company that won’t make its product transparent to neutral experts, and I’m voting with an absentee ballot.
There need not be any specific conspiracy. Election fraud has occured through every chink in election security. This new voting tech has especially weak security, and opens up plenty of new methods for voting fraud. Because these electronic voting companies are owned/run primarily by Republican companies, Republicans have the best access to these new routes of vote fraud, and are therefore most likely to benefit and to have benefited from it. There’s no need to for the ridiculously bad security to be planned–it’s a natural property of companies jumping to be first into a new market. Republican fraud is an emergent property of the situation.
I think there are numerous reasons why one might think it a good idea to make adjustments in the vote totals and keep them in a separate copy, keeping the unadjusted values at the same time. Not good reasons,