Sunday, August 17, 2008

NEW YORK'S BACK DOOR TO THE BALLOT BOX

Due to the unobservable and mutable nature of software used to count votes at elections, full or partial post-election hand recounts of voter-verified paper ballots (VVPBs), also known as post-election audits, are now considered by many to be the "gold standard" of election integrity. Historically, this has not been the case, but as a recent electronic voting system security paper by Haldeman et al (who have actually hacked optical scan and DRE e-vote counting systems for the State of California and demonstrated some of their work to members of Congress) stated:

"While conducting a thorough audit may be time consuming, it provides a higher level of confidence in the integrity of the result than any other mechanism we have been able to identify."
But in 2008 in the State of New York, some disabled voters whom HAVA was intended to help may be putting their votes at risk, even if their ballots are counted by hand. And in 2009, they may have a lot of company. This is because at least one electronic vote-counting system, to be used only as an accessible ballot marking device (BMD) this year in dozens of counties in the state, features a low-tech way to corrupt even a rigorous post-election audit procedure or a full hand count: an old fashioned stuffable ballot box.

As this video by election integrity advocate Rady Ananda and attorney Andi Novick clearly shows, software-based electronic vote counting is not the only thing New Yorkers will have to worry about in the state's rush to comply with HAVA:

Attorney Andi Novick inserts several ballots into a slot on top of the Sequoia/Dominion ImageCast precinct-count optical scan voting system that enables stuffing of the locked ballot box.

You can read more about this at Op Ed News, but it's no wonder that Novick, who founded the Election Transparency Coalition of NY, is planning on suing the state for violating its own Constitution by allowing electronic vote counting, and now perhaps even facilitating the kind of old fashioned paper ballot box stuffing reminiscent of Tammany Hall.

To date, we are not aware of any other open-ended vulnerability, security or penetration testing of the Sequoia/Dominion ImageCast machine, but clearly, it is only too easy to penetrate with low-tech methods such as ballot box stuffing. New York will be hand-counting the BMD ballots this year, instead of relying on software-driven optical scanners which have thus far exhibited hundreds of discrepancies in their source-code reviews against the 2005 federal Voluntary Voting System Guidelines that the state requires voting systems to meet as part of its certification process. But even a full hand count cannot compensate for a stuffed paper ballot box!

There ought to be a law -- and wouldn't you know it? There is!

It's not as if previous New York legislatures hadn't anticipated such nefarious intent; ballot box stuffing is as old as the hills. So what remedies does the NY Election Law provide in the case of a stuffed ballot box?

In their wisdom, our forefathers decided that the best way to deal with a stuffed ballot box was not to count the stuffed ballots. But because a clever attacker would take great pains to ensure that there was no way to distinguish between stuffed ballots and those cast legitimately,
Election Law § 9-110 (2) states:
"[S]uch ballots shall all be replaced, without being unfolded, in the box from which they were taken, and shall be thoroughly mingled therein, and one of the inspectors shall, with his back to the box, publicly draw out as many ballots as shall be equal to such excess and, without unfolding them forthwith shall enclose them in an envelope which he shall then and there seal and endorse 'excess ballots from the box for ballots for the general election, presidential electors, or party ballots or otherwise', as the case may be, and shall sign his name thereto, and place such envelope in the box for defective or spoiled ballots."
In other words, the number of excess ballots must be randomly removed from the box, without anyone even knowing which ballots were legitimate or which had been illegally stuffed. Such ballots are then set aside -- never to be counted!

While such measures may seem draconian, randomly disenfranchising some voters whose ballots are removed from the box is preferable to allowing the counting of all the excess ballots that are known to be fraudulent. Stuffed ballots would most likely contain votes exclusively for a particular party or candidate, some of which would be removed at random under the law. Even so, in a highly partisan precinct that votes 90% for the preferred party, a ballot box could be stuffed with ballots voted 100% for the opposition, thereby suppressing the preferred party's advantage. Removing ballots at random and not counting them would do little to ameliorate this situation, but it's the best that could be hoped for under the circumstances.


Obviously, it's very likely that voters would be disenfranchised if legitimately cast ballots happened to be randomly removed. Unfortunately, this year in New York, the voters most likely to be victims of a ballot stuffing attack would be the very voters HAVA was intended to help -- disabled voters.

So much for the election-night count; what about those post-election audits?

For decades, statisticians and EI advocates have known how to calculate the number of ballots that need to be hand counted to see who won elections counted by software with high confidence. It's not usually all the ballots, but at times, such as the 2000 Presidential Election in Florida and the 2004 Gubernatorial contest in Washington, a full hand count (or perhaps preferably, a re-vote or runoff election) is necessary.

In a ballot stuffing scenario, a properly designed audit that also includes ballot accounting will reveal more ballots than voters (unless of course the poll books were also "stuffed" with fake signatures), but election results will still be spoiled by ballot stuffing unless the auditors could discern legitimate ballots from fraudulent ones. This would not be an easy task.

A current draft of the New York State regulations for optical scan voting systems would allow about 4,000 legitimate ballots per box, and the poll worker training manual for the Sequoia/Dominion ImageCast states that the the system's ballot ID number only "distinguishes between ballots from different districts, but can never be used to identify an individual ballot or voter." New York's Constitution requires secret ballots.

What’s worse, if the machines and ballots were left unattended in a warehouse with their back-door ballot stuffing slots exposed, anyone could insert extra ballots that could be used to disrupt a post-election audit; trigger an expanded audit when vote count discrepancies were discovered; and even trigger a fraudulent recount of all the paper ballots which, under NY Election Law, could change the outcome of an election.

At the very least, an election could be thrown into a state of chaos and uncertainty, resulting in litigation that could drag on for months after the reported winner has taken office, undermining public confidence.

So, how do we protect disabled voters who choose to cast their ballots on these insecure "HAVA-compliant" systems? At the Aug. 4th State Board of Elections meeting, Co-Chair Douglas A. Kellner suggested hand counting these paper ballots on election night at the polling place. That's a step in the right direction and regulations may soon be drafted to require it.

But in 2009, nearly all New York voters will be expected to cast paper ballots at polling places, have them optically scanned, counted by computers, and deposited into these stuffable ballot boxes. So what's the plan to protect the rest of New York's voters?


Everything Old Is New Again

Until now, stuffing ballot boxes at elections in New York was thought to be a thing of the past, thanks to our decades-old, yet reliable lever voting machines. We can only guess what other “back doors” may exist in the proprietary, unobservable, undetectably mutable ImageCast software, but if this obviously shoddy hardware design is any indication, it could be the tip of the iceberg. New Yorkers therefore need to think twice before actually allowing their votes to be counted on such machines.

Professor Bryan Pfaffenberger of the University of Virginia Dept. of Science, Technology & Society was awarded a National Science Foundation grant to study the lever voting machine. In Machining the Vote, he defends levers, which were designed with an eye toward preventing paper ballot fraud:
"Having studied the history, I strongly believe that there would be no such call for paper if the ugly history of fraudulent practices enabled by paper ballots were known -- unfortunately, the American people have forgotten the lessons they learned a century ago, and I greatly fear that we will have to repeat them in order to learn them again.

"In my analysis, the lever machine deserves recognition as one of the most astonishing achievements of American technological genius, a fact that is reflected in their continued competitiveness against recent voting technologies in every accepted performance measure."
Dr. Richard Hayes Phillips, who like Rady Ananda, and unlike many armchair investigators and pontificators, has first-hand experience investigating the 2004 Presidential Election in Ohio, wrote in a recent essay entitled: In Defense of Lever Machines,
"I simply will not defend the use of paper ballots if they are transported to another location before they are counted. I would much rather have lever machines counted at the polling place than any system, paper or paperless, counted elsewhere."
Some may claim that software-driven "precinct-count" optical scanners fulfill this requirement, but how do we know that the paper ballots will in fact be counted correctly by these special-purpose trusted computing devices? (Hint: we don't!)

Once again, it's important to remember that the reason for a post-election audit is that we can't trust election results produced only by software. Don't be lulled into a false sense of security because the software has been "certified." Researchers at the National Institute of Standards and Technology have clearly stated: "[E]xperience in testing software and systems has shown that testing to high degrees of security and reliability is from a practical perspective not possible." [Emphasis added.]

And as e-voting expert Dr. Avi Rubin of Johns Hopkins and the ACCURATE center ruminated in his blog:
"The current certification process may have been appropriate when a 900 lb lever voting machine was deployed. The machine could be tested every which way, and if it met the criteria, it could be certified because it was not likely to change. But software is different. [Y]ou cannot certify an electronic voting machine the way you certify a lever machine.... [W]e absolutely expect that vulnerabilities will be discovered all the time....

"Software is designed to be upgraded, and patch management systems are the norm. A certification system that requires freezing a version in stone is doomed to failure because of the inherent nature of software."
A post-election audit, widely viewed as the best we can do to mitigate the risks of software-based electronic vote counting systems, can only be effective if the chain of custody of the paper ballots is absolutely secure. We are not convinced that this will be the case with the system shown in the above video that has already been purchased by most New York counties for the exorbitant sum of $12,000 apiece. (Not to mention the fact that the State Board of Elections has yet to approve our suggestions for risk-based post-election audits, leaving up to 97% of the vote in the State counted only by software.)

The Worst Voting System Around

Let's stop pretending that e-vote counting systems -- with or without paper trails -- are safer overall than a voting system comprised mainly of lever voting machines. There is no evidence to support such claims, especially given the way paper ballots are being used and abused -- particularly with respect to software-driven computerized optical scan "recounts" that are rapidly becoming standard practice in state after state in lieu of the even less trustworthy DREs they are replacing.

The fact is, like democracy itself, lever machines are the worst voting system around -- except for all the others that have been tried.


If you vote in New York, and you'd like to sign the petition in support of Andi Novick's lawsuit to stop the State from replacing lever voting machines and counting votes with software, or to become a plaintiff in the case, go to: http://www.petitiononline.com/etcnysls/petition.html.

No comments: