July 29, 2003

Proprietary voting computers: Threat or menace?

- By Robin 'Roblimo' Miller -
There has been a great deal of noise recently about the evils of closed-source voting computers and how easy it might be to rig elections with them because their proprietary code hides miscounts from public view. It's a little shocking that government agencies like the Federal Election Commission and mainstream news media haven't paid more attention to this problem. But do voting machines in common use today really contain nefarious code that can change your vote after it is cast? And if they do, what are we going to do about it?

The loudest current voice on the voting machine fraud front right now is a Washington state publicity consultant, Bev Harris, who has let her PR business lay fallow for more than a year while working on a book called Black Box Voting - Ballot-tampering in the 21st Century.

During a telephone interview, Harris spoke most heavily about ES&S (Election Systems and Software), an Omaha, Nebraska company that uses the motto "Better Elections Every Day" and claims to be "the world's largest and most experienced provider of total election management solutions with over 74,000 systems installed worldwide."

ES&S has gotten a bit of journalistic attention in the past, and we're not talking about happy talk on the company's Web site but the fact that Nebraska Senator Charles Hagelowns an interest in the company, had failed to report that interest, which is not direct but is because of his stake in Omaha-based McCarthy Group Inc., a major ES&S investor, on financial disclosure forms, and -- this is the fun part -- was elected through the use of ES&S machines, which are in service in almost every Nebraska jurisdiction.

Not only that, Hagel was apparently chairman of an ES&S predecessor company, American Information Systems Inc., and has also served as president of McCarthy Group Inc.

(One news outlet that is unlikely to pry deeply into the Hagel/ES&S connection is Nebraska's dominant newspaper, the Omaha World-Herald; its parent company is another ES&S co-owner.)

A bogus case of voting machine fraud

It was the 1994 Maryland gubernatorial election. Democrat Parris Glendening beat Republican Ellen Sauerbrey by less than half of one percent. Sauerbrey screamed "fraud," claiming that thousands of ineligible voters -- all Democrats, of course -- had been allowed to vote, and also claimed that voting machines in (heavily Democratic) West Baltimore had been rigged by the (Democratic) election board to give extra votes to Glendening.

The voting machine accusation centered on a particular polling place that turned in its results hours after others all over the state had completed their election day business. Sauerbrey and her supporters believed the reason results from that polling place were so slow in coming was that voting machine technicians were changing the ballots.

These were mechanical voting machines, nothing computerized about them. Voters moved little levers next to their choice, and their vote was made final when they opened the privacy curtain. After the polls closed, election workers -- half-trained people from the community who got far less than minimum wage -- were supposed to open the machines, remove the (paper) rolls on which the votes were recorded, check the paper counts against the machine's reckoning, then fill out a stack of forms and transport the results by car to election headquarters downtown.

To prevent fraud at the precinct level, it took two keys to open each voting machine; one in the hands of a Democratic election worker, the other held by a Republican.

That night, in the precinct Sauerbrey claimed was the center of the fraud because it turned in its returns so late, the Republican election judge broke his key off in the machine. It took the voting machine technician several hours to dig out the twisted keystub, and that was the reason the results were so late. There was no Vast Left-Wing Conspiracy or evil Democratic plot at all, just a simple screwup -- and a screwup by a Republican, at that.

I know all this because I was there, in person, watching the voting machine technician work. The next day I wrote an article for the Baltimore Sun about this non-fraudulent voting machine problem that led Ellen Sauerbrey to say nasty things both to and about me for many months afterwards. She took her 1994 loss with far less grace than Al Gore took his in 2000, to the point where many local commentators started calling her "Ellen Sour Grapes."

Many voting fraud accusations turn out to be false alarms. This doesn't mean voting fraud doesn't exist -- especially in Baltimore, where one theory about famous resident Edgar Allan Poe's death (on an election day) claims he was given copious quantities of alcohol and possibly opium while he was taken from polling place to polling place and forced to vote over and over again, which hastened the poor, sick poet's demise.

Unfortunately, we have no computerized voting records from Poe's time, so this story cannot be verified.

- Robin 'Roblimo' Miller


Proving negatives

Perhaps Charles Hagel was twice elected Senator (by large margins) honestly. Perhaps his interest in the company that made the machines used to elect him has nothing to do with anything. But the suspicion is there and will always be there. And since the ES&S machines used to count the votes that elected Hagel are 100% proprietary, both software and hardware, and leave no 'paper trail' human auditors can use to verify their accuracy, Hagel will always have a cloud over him.

Last year Harris wrote a seminal article about the relationship between Hagel, ES&S, the ultra-right wing (and ultra-rich) Ahmanson family, and posted it on her talion.com Web site. Attorneys for ES&S sent her a letter demanding its removal, plus a retraction. Harris has neither removed nor retracted anything, and this material is now almost certain to find its way into her book.


Well-documented voting computer errors

Harris gave NewsForge three well-known instances of voting computer mistakes made in recent years that have drawn surprisingly little national media attention:

  1. A 100% error rate in an April, 1998 Orange County, California school bond election she says was reported by NewsBytes. According to Harris, "yes" and "no" votes were flip-flopped because of software errors, so every "yes" vote was recorded as a "no" and vice versa.
  2. In the Allamakee County, Iowa 2000 general election about 300 votes were fed into an optical scanner -- but it tallied 3.9 million. Harris says local election officials never found what the error was, but computer supplier ES&S replaced the machine.
  3. Baldwin County Alabama, November 2002: Harris says that in the Governor's race 6300 votes changed overnight, after the polls closed. She says, "the race had already been called for Democrat Don Seigelman, but in the morning suddenly it went the other way and Republican Bob Riley was governor. Don Seigelman took it to court, but there was no provision in the law for a recount..."

Harris says she lists a total of 112 incidents in her book "where bad software caused bad counts."

She also told us that if she wanted to rig a vote herself, she'd "go after the primaries" instead of general election results.

Not only that, she says the best -- and hardest to detect -- way to alter the results of a general election would be "to rig a heavily Republican district to go more Republican rather than to rig a Democratic district to go Republican."

And on the subject of government agencies in other countries buying voting computers from U.S. companies, she is adamant: "If I was in another country I would not buy voting machines from the U.S. unless they were open source."

Echoing this sentiment, James Love, director of the Ralph Nader-founded Consumer Project on Technology, had exactly two words to say when asked the best way to guard against voting computer fraud: "Open source."

Pernicious code?

Harris's publisher supplied NewsForge with several examples of code they say is used in ES&S touchscreen voting computers. The first snippet was unattributed Wine, and they thought it was being used in proprietary equipment against its licensing terms.

We turned to ace Wine coder Jeremy White, of CodeWeavers, for an opinion. He said it was perfectly okay for ES&S or anyone else to use that code, with or without attribution; that it was from 2001, when Wine still carried a BSD-style license, although there might be trouble if they updated to a 2002 or later version, since it would be under the GNU LGPL.

No smoking gun there.

Later Harris handed us more code to look at, this time code that perhaps allowed vote changes to be made. If so, this would be a real negative find. We showed this code (which you can inspect for yourself here) to several expert programmers. Here is what some of them had to say about these code samples:

  • "From a quick 10-15 minute analysis of this code I can't see
    anything that would make me feel uneasy. I'm not sure why they decided to
    write their own registry editor when "regedit"/"reged32" comes standard
    on all windows platforms, even NT Embedded and I would guess XP embedded."
  • "Aside from the code being ugly, poorly documented, and steeped in
    Windows APIs, it seems fine. The code particularly in question (case
    REG_MULTI_SZ in CRegistryEditor::DisplayKeyData in registryeditor.cpp)
    is only for reading and displaying keys from the Windows registry - it
    does not write to the registry, and it does not look like the coders
    have left an opening for a buffer overflow. They count the number of
    strings in the registry item, then allocate the total length of
    strings plus 4 characters per string for padding. The only real way
    to exploit this code would be to insert a nonstandard entry into the
    registry, e.g. a non-null-terminated string (not sure if/how this is
    possible, but it seems like the registry code in the MS APIs would
    make damn sure things were valid before putting them in the
    system-wide registry), spoof the software into thinking the key type
    was REG_MULTI_SZ (not sure how/if this is possible either), and then
    attempt to display that registry key.

    "If this code is really in use at voter kiosks, I find it highly unlikely
    that it could be used to modify voter data."

  • "The important stuff where the risks and dangers are present is the code
    that stores, authenticates & audits the voting data. Code related to
    these issues doesn't seem to be present on the above page.

    "Regardless, you wouldn't catch me dead voting with any of these machines
    until somebody like Bruce Schneier takes one to bits & exhibits the
    strong crypto. If my precinct switches to them, I'll show up, sign off
    that I showed and leave without voting.

    ("Given the current dangerous political climate, I'd prefer if you would
    keep my identity in confidence- and if you use anything I said, I'd
    appreciate it if you'd also mention this as well.")

scoop.co.nz

The scoop.co.nz Web site is riding this whole story hard, with pieces by Bev Harris and a stack of links to other stories about potential voting computer problems, not to mention a study of Diebold voting computer system insecurities (PDF) unearthed by a team from Johns Hopkins University.

Naturally, one of the lead Scoop stories on the topic is by Bev Harris. In fact, a large percentage of the stories listed on the Scoop site's AMERICAN COUP "voting machine roundup" page were either written by Harris or contain material attributed to her.

This is not a knock: Harris and Scoop may be a tad alarmist at times, but they have certainly managed to get other media outlets (including the New York Times) interested in the idea of proprietary voting computers becoming fraud machines, so hopefully more journalists and even -- just maybe -- a government agency or two may start looking into the matter.


Is there a solution to the problem?

Voting fraud has been a problem since the first time a leader was chosen by putting colored pebbles in a box. Paper ballots can be miscounted, and there's always the old standby vote-rigging method of having a group of people cast multiple ballots at multiple polling locations.

Computers make vote tallying easier, which means they can make voting fraud easier, too. They also have the disadvantage that they are not transparent to everyone. A reasonable amount of honesty can be brought to a paper ballot counting process simply by allowing representatives from all interested parties to participate or observe. Security also enters the picture with computer voting in a way it doesn't with paper ballots, which can be moved under the eyes of many people to prevent theft or substitution instead of as nebulous bits and bytes through phone lines or other electronic communications channels.

Secrecy itself causes many of these concerns. If we all voted openly instead of casting secret ballots, everyone's vote would be obvious to everyone else. But there are many advantages to secret ballots, the primary one being lack of coercion; if the government doesn't know how an individual voted, it is hard to retaliate against that individual for casting a dissenting ballot.

The trick is to maintain the privacy of the individual voter while keeping the vote tallying process itself as open and transparent as possible. And no matter mow transparent that process is, there will always be ways to 'rig' it, including the infamous Florida Republicans' method of preventing unqualified voters (AKA "Democrats") from casting a vote in the first place.

(However, not all Florida jurisdictions are totally corrupt on the voting front. Manatee County, for example, uses an optical scan system that, even if it is flawed, still leaves a 'paper trail' that can easily be read by humans without computer help, which means fraudulent computer counts are relatively easy to detect and trace.)

But this article is about the voting process itself, not about voter registration decisions. And it's obvious that when it comes to counting votes, the more open the process, the more likely it is that the process is honest. When you look at vote counting from this perspective, it's obvious that James Love's "open source" solution is the only way to go. For all we know, Nebraska Senator Charles Hagel really was the popular choice there, and is not in office only because he is connected with the (proprietary software) voting machine company whose products were used to put him there.

Wouldn't an honest politician (like, presumably, Sen. Hagel) want the public to know he or she got into office fair and square? That there was no question of fraud in the vote tallying? If so, shouldn't all honest politicians be working hard to make sure all voting computers are 100% open on both the hardware and software sides?

Profiting from open source voting systems

Ideally, voting machine vendors sell a complete package including hardware, software, and service. None of the machine functions are exotic; everything from optical scanning to touch-screen kiosks are available on the open market and are used in many commercial applications. The software can be extraordinarily simple. All voting machines need to do is count votes, and the rest of the system only needs to be able to add the counts from a number of voting machines together and display the results in human-readable format.

These functions don't require Microsoft Access or Word or any other proprietary software whatsoever. They don't even require much of an operating system at the polling place level, where nothing happens beyond basic counting followed by (hopefully secure) transmittal of that polling place's results to a central location either electronically or physically via some sort of removable storage medium.

And don't forget production of a physical paper record of some sort. Many voting machine companies and the jurisdictions that buy voting machines claim that adding paper and printers to the system increases the chance of mechanical breakdowns and therefore can lead to counting delays, not to mention the added cost of having skilled repair technicians standing by on election day to correct inevitable (mechanical) printer problems. But that "paper trail" is the ultimate in accountability, and one would think someone like Sen. Hagel would want one available so that no one could ever question the legitimacy of his election.

So why can't voting machine companies produce simple, reliable packages that run on open source software? It's being done in Australia, by a government agency, no less. Surely American entrepreneurs can operate more efficiently than a bunch of government flogs! We hear over and over again in the U.S. about the superiority of private companies over governments, so all these American voting machine companies certainly ought to be able to come up with open source, transparent, easy-to-use, easily maintained voting systems without turning a hair, and each company should be able to find a way to differentiate itself from its competitors without resorting to 'secret sauce' nonsense as if they were all selling low-nutrition snacks instead of acting as the guardians of the republic's most necessary political function.

And if current voting machine companies can't handle the basic task of producing simple, honest, and open vote-counting systems, the American way is to start new companies that can do it. We can expect all honest election supervisors to choose the best, most open, most honest systems, of course, because they are the people specifically responsible for making sure we have fair and honest elections.

Does anyone really care?

Only about 51% of the eligible U.S. population bothered to cast a ballot in the last presidential election, and this was not an extraordinarily poor showing by historical standards, as this chart shows.

A look at this more detailed chart shows that more eligible voters stayed home than voted for Al Bush and George W. Gore (or whatever their names were) put together.

This is for the general election in a presidential year!

In primaries, off-year congressional races, and strictly local elections, turnouts in the sub-30% range are depressingly common, and in some jurisdictions we see fewer than 10% of eligible voters exercising their franchise in these 'minor' elections.

Perhaps this is why there hasn't been more care and attention paid to the mechanisms we use to tally our votes: That most people simply don't care enough about voting to make the process itself an important issue.

And this, sadly, is not a problem that can be corrected merely by making sure all voting computers run honest, open source software, even though this is certainly a worthy goal in a purely ethical sense even if a majority of the electorate doesn't care one way or the other.

Click Here!