Is Vermont’s voting system secure?

With none of the controversial touch-screen voting systems that have raised red flags in other states and a safeguard mechanism in place, Vermonters can be assured of secure election results come November, according to Secretary of State Deb Markowitz.

Or can we?

A handful of local activists have their doubts, and last week a national voting watchdog pointed to what they say are serious problems with the Diebold optical scanner system used in Vermont.

Calais resident Jim Hogue, who helped propel the state’s ban on paperless electronic voting in 2003, said he thought at the time that the battle was over. “I thought ‘OK, we’ve won’ … and then I started discovering how vulnerable the optical scanners were.”

voting ballot

Optical scanners read text or illustrations printed on paper and translate the information by digitizing an image. Vermont town clerks themselves opted to use the Diebold 1.94w system, not only because it’s user friendly but because it’s compatible with existing printers, said Markowitz.

Seventy-three of Vermont’s 246 towns use them, representing more than 50 percent of the state’s approximately 417,000 registered voters.

The system allows voters to mark paper ballots, typically with pencils or pens, independent of any machine. Voters then insert their ballots into the scanner, which optically records the vote.

“It’s not just me feeling that way. What the security minds nationally are looking at as people are talking about concerns with touch-screen technology, they’re really suggesting in large part going to an optical scan technology,” said Markowitz.

She said her confidence is bolstered by Vermont’s longstanding relationship with a Massachusetts company, LHS Associates, which has been configuring Vermont ballots for 20 years. ”With an optical scan, no matter who’s producing the machine, it’s being configured by people we know; we know their names, we know which machines they’re dealing with,” said Markowitz.

“When they configure Vermont’s races, every ballot is different in every community. It’s done in an open process by people working on freestanding machines. … Nobody can make a change without others being aware of it. From there it goes to a mailer that can only be accepted by signature of the clerk. So our security starts as soon as the fingers are touching the card-setting of the ballot, and under our chain-of-custody rule the town clerk knows exactly who has touched the card.”

To top it off, the scanners are kept in a locked vault until Election Day, Markowitz pointed out. And finally, under the state’s 2003 legislation, the secretary of state may conduct a random audit of election results.

“The last piece of the security cycle is to have the ability to say if you do something funny we can catch you. We have this new law that allows us to conduct random audits and we plan to do that in this coming election,” she said.

But Richmond resident Gary Beckwith of the group Vermonters for Voting Integrity said Vermont election officials are placing blind faith in a system that has been proven vulnerable.

“We’ve got a problem in Vermont: Our system is not secure and that’s indisputable at this point,” Beckwith maintains. “Several independent tests have confirmed it’s not secure, and the real problem, in my mind, is that the people responsible for keeping our system secure are not concerned.”

According to the website electionline.org, Vermont is one of only four states that require a paper ballot system; seven more states use no electronic equipment whatsoever.

Beckwith ticks off a list that includes the California secretary of state refusing to certify Diebold voting machines after they failed in 10 security tests, and Leon County, FL, officials who banned the machines because of security flaws.

In a letter this summer to Kathy DeWolfe, director of elections in Markowitz’s office, Beckwith demanded to know what Vermont was going to do “now that we have obvious and credible evidence that Diebold as a company cannot be trusted.”

$12 and four minutes

Last week, the national voting advocacy watchdog group, Black Box Voting, announced that a pair of middle-aged, computer savvy women working with the group bought $12 worth of tools and in four minutes penetrated the memory card seals of the Deibold 1.94w system, removed and replaced the memory card, and sealed it up again “without leaving a trace.”

The group said it purchased an optical scanner and made the attempt after two Florida studies “proved that election results can be altered in such a way that the supervisor of elections cannot detect the tampering.”

The hackers removed five screws to unfasten the sealed memory cards, the group said in a press release. “Inside, all that stands between a poll worker (or an insider at the warehouse or elections office) and the open-for-business memory card is a washer which you can unscrew.”

The group’s latest test comes a year after computer expert Harri Hursti determined that the Diebold design incorporates “the mother of security holes.”

“This design would not appropriately be characterized as ‘a house with the door open.’ The design of the Diebold Precinct-Based Optical Scan 1.94w system is, in the author’s own view, more akin to ‘a house with an unlockable revolving door,’” Hursti wrote.

Because the system’s removable memory card contains an executable program which acts on the vote data, changing the program on the memory card can change the way the optical scan machine functions and the way the votes are reported, Hursti wrote.

“The system won’t work without this program on the memory card. Whereas we would expect to see vote data in a sealed, passive environment, this system places votes into an open active environment. With this architecture, every time an election is conducted it is necessary to reinstall part of the functionality into the optical scan system via memory card, making it possible to introduce program functions (either authorized or unauthorized), either wholesale or in a targeted manner, with no way to verify that the certified or even standard functionality is maintained from one voting machine to the next.”

Diebold: Get real

In a real-world election setting, the Black Box Voting scenarios are implausible, according to Diebold. “Everything they throw out is a what-if scenario that isn’t reflective of a real election environment,” said Diebold spokesman David Bear. “They haven’t been able to do any of these things in a real election scenario.”

“They’re trying to perpetuate this inaccuracy that the technology has made it more likely for someone to corrupt an election,” Bear charged. But even if you believe in a “cabal of people that are nefariously corrupting an election,” he said, paper ballots are far more vulnerable than electronic polling.

Black Box Voting’s four-minute, $12 hack is predicated on the “sleepover” concept, in which voting machines are sent home with poll workers for days or even weeks before an election, giving someone ample time to break the seal and reprogram the cards.

“This experiment shows that the seals do nothing whatever to protect against access by insiders after testing, and the seals also are worthless in jurisdictions like Washington, Florida, California, and many other locations where voting machines are sent home with poll workers for days before the election,” the group contends.

DeWolfe said under Vermont’s chain-of-custody procedure, the memory cards are either locked in the machine and locked in a vault, or, when sent out for configuration, are sent only by Fed Ex or UPS with a signature required.

“The analogy is that is I give you my hard drive, you can corrupt my computer,” according to DeWolfe. “If you don’t have access to my hard drive, you can’t corrupt it. Similarly, in Vermont only clerks have access to memory cards.”

But even without a sleepover, with some planning the process could be done in the time it takes for one of two poll workers to take a bathroom break, said Black Box Voting Director Bev Harris.

“You would have to have another memory card available to put in as a substitute, but you can buy memory cards on the Internet. The recipe for hacking has been on Internet for more than a year, and the source code has been on the Internet for six years,” said Harris.

Diebold’s Bear scoffs at the notion that local election officials would risk a federal criminal sentence.

“I don’t think a lot of people believe this stuff. I think quite honestly most people don’t think about it, most people are honest, fair people and their intent is to go to the polls and vote for the candidate they prefer. And most people who work at the polls just want to perform their civic duty,” he said.

Beckwith warns observers not to be too quick to discount fraud potential just because Vermont is a small state. “Vermont was the second highest deviation in 2004 election of exit polls in the country,” he said. “We were 10 percent off from the exit polls, even though [Democratic presidential candidate John] Kerry did win Vermont.”

It’s not the Vermont end that worries him, Beckwith said, but what happens when the memory cards go back and forth.

“I trust the town clerks; I understand the memory cards are kept secure. But before every election, the cards are sent back to these companies and they have unfettered access to the memory cards,” he said.

The response from Markowitz and DeWolfe that these are trustworthy companies is asking Vermonters to put “blind trust in these two private companies, and we know that they have the ability and the access to do something like this,” he said.

“Significant vulnerability”

In June, a yearlong study on electronic voting released by the Brennan Center for Justice at New York University School of Law concluded that the three major electronic voting systems used in the United States — including Diebold’s optical scanners, touch screen with paper trails, and those without paper trails — have significant security and reliability vulnerabilities.

“All three systems are equally vulnerable to an attack involving the insertion of corrupt software or other software attack programs designed to take over a voting machine,” according to the study, which involved government and private-sector scientists, voting machine experts, and security professionals.

But the report also said the vulnerabilities can be overcome by auditing printed voting records, which is Markowitz’s security fallback.

Hogue said even that is not enough. “If random clerks would do random audits, that for me would take care of it; random clerks making up their own minds with their own people, and it’s public and transparent … I would be thrilled. And there is nothing preventing that in Vermont law, a redundant count, as distinctly different from an audit, which happens after the fact.”

Beckwith also wants to see a hand-counted audit on a significant percentage of the ballots. “There is no test that can be done on the memory cards to ensure they don’t have malicious code; the only way to determine the election has been counted correctly is to do a hand-counted audit, an audit comprised of randomly selecting a certain percentage of the voting precinct,” he said.

The percentage of votes that should be counted is also debatable, he said. California law requires 1 percent of the ballots must be hand-counted. A discrepancy would trigger a more extensive hand count.

“Most people do not think 1 percent is enough, and some think we have to hand count all of them … I’m not a statistician or a mathematician; I don’t really know statistically how much we would have to count to have confidence, but from the research I’ve done most statisticians say somewhere around 5 percent would give you 95 percent assurance the election was counted correctly.”

At Black Box Voting, Harris said given the nation’s recent history of apparent discrepancies, U.S. voters should not be satisfied until they can exert control over the counts.

“A panel of citizens should be able to say we’re going to pick something, put a lockdown on it and count every ballot … . That would go a long ways toward satisfying people; people need to be able to oversee the whole thing, not 1 percent that someone else chooses.”

Harris is calling for a shift in how U.S. voters think about elections.

“It is no longer enough to observe and tell stories about what you saw — even if you sign an affidavit. The sad fact is, anecdotes don’t produce change, even when they are very well organized,” she writes on the Black Box Voting website. “It’s time to shift your thinking from watching elections to collecting evidence” through audio and video recordings, photographs, and public records requests.

The group has a voter’s toolkit posted on their website, www.blackboxvoting.org, to inform voters of their rights, and help people decide what to do and how to do it.

Reply