- heather mull
- CMU Professor Michael Shamos, the state's voting machine examiner: Machines, not paper will "'protect ... the voter from rascaldom.'"
Victoria Berdnik hands long strips of paper to two women training to work the polls on Election Day. These fresh recruits have never before supervised voting on Allegheny County's electronic voting machines, which replaced lever machines at May's primary election. Here in the Westin Convention Center Hotel Downtown on Oct. 10, they're getting a two-hour course.
Poll workers are supposed to print these paper strips, known as "zero tapes," from each of the county's voting machines when it's turned on. The tapes should show zero votes for every candidate before polling starts.
This is the only paper they'll have to print from each machine, apart from the tally of votes at the end of the day. The rest of the time, workers will be plugging and unplugging cartridges that tell the machine what ballot to show onscreen. Voters will be touching the screen to choose their candidates, and then pushing the machine's flashing plastic Vote button to make it count.
At the beginning of this particular mock election, the zero tape shows George Washington and Eleanor Roosevelt still awaiting our support.
Berdnik, of the North Side, is one of several temps hired by the county to conduct the demonstrations.
"That zero tape is so important because it shows you the machine has not been tampered with," she says.
The possibility of foul play seems far from the minds of these poll workers -- even though doubts about the machines have already been raised in a local primary race this May. Instead, poll workers braced to reassure voters that they'll be able to work the new machines at all.
For many voters, the November election will be their first exposure to the machines, says the county's lead trainer, Melinda Freed. Freed is a poll worker herself, in a Mount Lebanon precinct with about 400 registered voters -- but only 165 showed up for the May primary. That means there could be 235 newbies being introduced to this new technology on Nov. 7.
Tell such voters not to worry, Freed tells her fellow poll workers at the Westin gathering. If you can push the buttons on any number of small appliances, you can work these things. After all, she says, "Our voting machine is not a computer ... "
Electronic voting machines are computers, of course. But that's about the only thing their advocates and opponents seem to agree upon.
Still under intense debate is whether these computers are recording and counting our votes correctly, how they should be tested, and how to make certain that thousands of machines at polling stations on Election Day have exactly the same approved programming.
Making certain these machines are secure against tampering has engendered another cottage industry of alarms and assurances. Some local poll workers in May were unable to get their machines to print zero tapes at the beginning of the day. Nonetheless, they allowed voting -- and, with tech help, were able to get these machines to spit out zero tapes anyway, even in the middle of Election Day, after they had already begun counting votes.
The 2000 dispute over paper ballots in Florida resulted in the 2002 Help America Vote Act, which gave out millions in federal money for counties to purchase new, theoretically better voting machines. After several false starts, Allegheny County settled on the iVotronic, made by ES&S of Omaha, Neb.
HAVA was supposed to prevent Florida-like problems, but it has created new problems of its own. For instance, in the 2004 general election in Carteret County, N.C., a machine made by UniLect of California stopped counting votes just past 3,000, due to a software problem. About 7,500 votes had actually been cast, and the incident threw a statewide race into limbo, since only 2,000 votes separated the contenders. One of the candidates conceded four months later -- with the missing votes lost forever.
Since then, a study published by researchers at Princeton University found that one popular machine made by Diebold, one of the world's largest voting-machine manufacturers, "is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code." Such programming "could steal votes undetectably, modifying all records, logs and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities -- a voting-machine virus. We have constructed working demonstrations of these attacks in our lab."
Also this year, the Brennan Center for Justice at New York University School of Law issued a report saying the three electronic voting machines it examined "have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state and local elections."
Could such "vulnerabilities" affect a close race in Pennsylvania this year? Some say they already have.
Ed Gainey, for one, still questions the integrity of his loss in this May's primary election. Gainey was a Democratic candidate for the state's General Assembly in the 24th District, encompassing Wilkinsburg and eastern neighborhoods of Pittsburgh. He lost to incumbent Joseph Preston Jr. by 92 votes: 3,211 to 3,303. Gainey considered contesting the election results this past June, but says he lacked the money to mount a court challenge. Still, his attorney, Heather Heidelbaugh, summed up his concerns in a letter to the county Board of Elections.
It noted that the county "... originally could not account for either 53 or 54 Democratic votes and 2 Republican votes. On Friday, June 2nd, 2006, seventeen days after the election, the Election Division found 23 of the votes because the cartridge from one of the machines in the 13th Ward, District 5 had not been read."
Gainey remembers watching county and ES&S officials fiddling with the ballot cartridges and voting machines during the official vote count, trying to determine how many votes he really got.
When workers "took the cartridges and put them back into the machines, the number of votes continued to jump up and down," he says. "It took them several times to get the vote down to where it was at the beginning [of the tallying effort]. When you put a cartridge in and they say, 'Let's fix this,' and when they put the cartridge in again and they say, 'Hold on,' and they put the cartridge in again -- that's just unbelievable to me."
ES&S did not respond to an interview request by press time. Tim Johnson, the county's director of administrative services (which includes the election division), chalks up most difficulties in May to the need for increased poll worker training, which more than 5,500 poll workers are undergoing before Election Day.
"The equipment performed as it was designed to perform," Johnson says. Looking toward November, he adds, "I'm more comfortable now than I have ever been" with the county's machines.
But according to other Gainey recount eyewitnesses who spoke on June 6 at the Board of Elections meeting, there were other problems at the county's North Side warehouse as the votes were tallied:
"[V]oters have no real assurance that their votes were counted," said David Eckhardt, a Mount Lebanon judge of elections since 1997 and computer science professor at Carnegie Mellon University, where he specializes in computer operating systems and computer networks. Citing also the zero tapes produced mid-day, amid voting, Eckhardt concluded: "Problems with simple, exposed parts of the system raise concerns about the hidden, intricate parts."
"The security of our electronic elections rests on two basic premises," said Collin Lynch of Squirrel Hill, a doctoral student in the University of Pittsburgh's Intelligent Systems program. "The first is that state inspectors will certify systems, catching all security holes in the process. The second is that we as a county will run only those systems that have been certified in their pure form."
Not only were those ballot cartridges running uncertified versions of their firmware (a kind of software), Lynch said, but "[d]uring the May 16th election, each precinct was equipped with at least two different types of iVotronic systems. One model, the 'ADA-Model,' was equipped with a set of buttons at the bottom [to assist those with disabilities], while the other is not. Only the ADA-Model was viewed and certified by the ... Commonwealth," he said. "The other system, which behaves differently according to poll workers, was not."
Eckhardt, Lynch and other members of the Allegheny chapter of VotePA (www.votePA.us) meet regularly in Kazansky's deli in Squirrel Hill to discuss electronic voting's future.
"The thing that makes a computer different from a fork is that it has no nature," says Eckhardt, using handheld versions of both devices on an early October afternoon at Kazansky's. While you can tell how a fork works by looking at it, two electronic voting machines that look identical may work in very different ways. For the computer, he adds, "the difference, from instant to instant, is in the software." A PC can act as a word processor one moment and a game machine the next, depending upon which program is being used.
"There's no such thing as a trivial difference between software," Lynch says.
County poll workers' "whole process for checking the software is to run the software and ask it, 'Hey, what do you want to claim to be?'" notes Eckhardt. "And they assume [each machine's answer] to be correct."
When the machines are tested for certification by the state, "they are not approached from the point of view of a motivated attacker ...," adds another member of the group, Chad Dougherty of McCandless, an Internet security analyst at CMU's Software Engineering Institute.
Once the machines have arrived in Allegheny County, only the manufacturer, ES&S, can check the machine's software in any detail. The software, developed by a private company, remains its highly protected property.
"This is the exact opposite of how you would design a system if you wanted people to believe that it worked," Eckhardt says.
"We don't want the county to be trusting a company," says another group member, Audrey Glickman of Squirrel Hill. And it's not just the company that voters are asked to put their faith in: "It's anybody who touches anything" on the machines -- from the manufacturing plant to the polling place.
If touch-screen DREs (direct recording electronic systems) must be used, the group has long advocated that they also produce a paper copy of each ballot, which the voter verifies and the machine keeps. Numerous national groups also call for such paper back-ups. But concerns about privacy -- the possibility of matching each poll's list of voters to a roll of paper ballots accumulated chronologically, for instance -- has kept such paper back-ups from passing muster under Pennsylvania law.
The group has also been proposing two new methods it hopes the county will adopt to make DREs safe for democracy.
One is called parallel testing. If there is rogue computer code in our voting machines, a common assumption is that it would affect the machines only when their internal clocks said Election Day had arrived. With parallel testing, a number of random machines would be pulled from service at the polls on Election Day morning by an independent testing body. Instead of receiving the votes of actual voters, these machines would receive a pre-scripted set of votes from the testers. Presumably, the machines wouldn't be able to tell the difference. But at the end of the day, the testers could tell whether the machines had recorded and tabulated their choices properly.
The group's other desire is for software audits: getting access to the software on enough machines to satisfy any doubt that the machine's innards arrived exactly as advertised.
"The simplest thing the machines are asked to do is, at the beginning of the day, print out a tape full of zeros," Eckhardt says. "They can't reliably do that simplest thing. Therefore, if you want to believe they're doing all the other more complicated, unauditable things, be my guest, but I'm not sure what your belief is based on."
"There's nothing on earth that is so secure that a science-fiction writer can't dream up a script to get around it," says Michael Shamos, who leads the examination and certification of electronic voting machines for Pennsylvania.
A distinguished career professor in the School of Computer Science at Carnegie Mellon University, Shamos is also among the most vocal defenders of computer balloting's security and accuracy. While allowing for deficiencies in both the technology and the testing process, he dismisses the concerns of many critics.
For one thing, a paper record is no panacea, Shamos asserts. As he told a recent hearing in the U.S. House of Representatives, "The reason that mechanical voting machines were introduced over a century ago was to stop rampant fraud involving paper ballots. [...] The very idea that a paper record is secure at all continues to be refuted in every election. A recent example is the May 2006 primary held in Cleveland, Ohio. [...] When the paper records from the election were examined by an independent study group commissioned by Cuyahoga County, 10 percent of the paper records were found to be illegible, defaced or entirely missing."
No system can be entirely foolproof, Shamos says, in part because "There is no country in the world where voting is as complicated as it is in the United States." Voting is overseen by counties in Pennsylvania and most other states -- except in New England, where individual cities and towns have jurisdiction. In our state alone, one individual may live in overlapping but not identical voting districts electing city council, county council, state House and Senate candidates. There is also a judge of elections who is himself elected for each polling place. Shamos estimates that 10,000 different election races are decided nationwideeach Election Day.
The idea of allowing software audits by individual counties is something Shamos says he himself has raised with voting-machine vendors, but none say it can be offered yet. But, he adds: "I think it's useful to have, because it silences the conspiracy theorists."
And he invented parallel testing, he maintains, to do just that. But its viability depends on "the credibility of the threat model." When ultra-conservative Pat Buchanan got a large number of votes in one Florida county during the 2000 presidential election from elderly Jews -- a demographic Democrats can usually count on -- even Buchanan expressed the suspicion that something might have gone wrong with the vote. Any author of malicious software code hoping to change electronic voting results, Shamos says, would want to avoid raising similar suspicions. Thus, manipulating the vote would require knowing the destination of each voting machine, its population, registration percentages and traditional voting patterns.
"We have to have a credible threat model or we're wasting our time trying to deal with it," he concludes.
"This is a bogus argument," counters Avi Rubin, professor of computer science at Johns Hopkins University and technical director of its Information Security Institute. Rubin drew national attention in 2003 when he revealed security problems with a Diebold voting machine, and has just published a book, Brave New Ballot, about the experience.
One simple way to get around the need to know each voting district before trying to rig an election electronically, he says, is to keep the task simple: "Let's say in a particular race there's a candidate who is heavily favored. You write malicious code that notices who is winning and you make sure they lose" -- but not by a landslide.
"With DREs, let's say the adversary's goal is to destroy the election," he adds. "His rogue code could simply get rid of all vote totals at the end of the day."
Barbara Simons also calls Shamos' contention "nonsense." She chairs the subcommittee on voting machines at the Association for Computing Machinery, a professional society for computer scientists. Perhaps someone just wants the Republicans to win, or the Democrats. Perhaps you want to affect the highest office only, which typically is at the top of the ballot.
"You don't have to rig everything," she says.
Shamos, Rubin says, "is a minority of one or two" in having such confidence in the current state of electronic voting.
Allegheny County has the option to adopt both or neither of these methods prior to future elections.
"I'm looking into" parallel testing, says the county's Tim Johnson. "The county reserves the right to" perform software audits on its ES&S machines, he adds. "We will do so if we choose to. I can't give you specifics."
But neither Rubin nor Simons is convinced that parallel testing or software audits is the answer.
The former test "is a very good thing to do, but it's a Band-Aid," Simons says. "What do you do if you find a problem? The election's over. Holding a new election is very hard to do. Our laws are not designed to deal with electronic voting."
Software audits are "also a good thing, but that doesn't necessarily catch everything. If software audits could catch everything, we wouldn't get these periodic bug updates from Microsoft and Apple."
As a substitute for DREs, Rubin proposes a type of system already manufactured but not widely used, in which voters mark their ballots via touch-screen. This machine can warn the voter if he has missed a contest, or voted for too many councilors or commissioners; it can accommodate voters with vision problems and those who don't speak English. But instead of counting their vote or even holding it in permanent memory, this voting machine merely prints out a paper copy of the ballot. The voter checks his ballot for accuracy, then scans it into another device to be counted.
The system would prevent voters from placing incorrect or ambiguous marks on the ballot, if its ovals had been filled in by hand. Rubin calls this device "a $5,000 pen."
And what would the county do with the machines it has already bought?
"One of the things you could do with them is landfill them," says David Eckhardt.
"We are not joking," says Collin Lynch. He cites a May 2005 memo from the Miami-Dade County Florida manager to its board of commissioners that concludes the district could drop its use of ES&S iVotronics wholesale in favor of precinct-based optical scan systems and save 23-29 percent of its costs at each subsequent election.
Barring that unlikely scenario here, the local VotePa chapter has a few suggestions for this Election Day.
"Candidates should not concede," says Audrey Glickman -- even if they seem to be losing "90 to 1. Don't concede. There could be machine errors."
"Don't assume that election night results bear any relation to accuracy," says Eckhardt.
"Get the poll watchers out," Glickman adds. "Get someone to watch while they're counting."
If you don't, Lynch says, "We've basically just asked the company to tell us who won."
To report county voting problems: 412-350-4500; or Votersunite's hotline, 1-866-OUR-VOTE.illustration: doug macdonald