andi Novick, computer security, computerized voting, Constitution, democracy, doug kellner, EAC, election assistance commission, election fraud, Election Reform and Modernization Act, Elections, ERMA, fascism, hand count paper ballots, Help America Vote Act, lever voting machine, new york, new york city, news, politics, Privacy, rady ananda, scientific study, secret vote counting, Technology, technology reports
August 12, 2008
EXCLUSIVE: Whistleblower exposes ballot-stuffing hole in new $12,000 optical scan voting system. The slotted hole will allow anyone to stuff ballots directly into the locked ballot box. It also comes illegally equipped with USB ports that facilitate network, internet and wireless access, contrary to New York election law.
By Rady Ananda and Andi Novick
Certified for use in New York, Sequoia/Dominion’s ImageCast ballot marking device (BMD) was designed to allow voters with special needs to create their own paper ballots unassisted. But a series of problems continue to plague the BMD and its scanner’s certification. The system comes equipped with a convenient slotted hole that allows anyone to stuff ballots directly into the locked ballot box. It also comes equipped with USB ports that illegally facilitate network, internet and wireless access. Hundreds of documentation discrepancies prevent full certification of the system for counting the votes in 2009, and the lab approved to certify it is now being investigated for shoddy methodology and collusion with vendors.
Sequoia/Dominion BMD: What is wrong with thee; let us count the ways
1. Can’t Make a Secure Ballot Box – Exclusive Video
Since New York won’t be using theft-enabling software to count the votes in 2008, the ballot-stuffing capability of this BMD destroys the integrity of this year’s hand count, and the integrity of future manual audits.
Attorney Andi Novick stuffs several ballots into a hole on top of the ballot box sold by Sequoia Voting Systems and Dominion Voting Systems. The hole enables ballot stuffing of the locked ballot box. In the close-up above, the arrow points to the slotted hole that spans the width of the scanner.
Up to ten cardstock ballots can be stuffed at once.
The ‘black hole’ of fraud, now built into our election system through the nationwide use of theft-enabling software, just got bigger. This BMD was approved by New York’s testing authorities and shipped to counties for use, but look at the gaping hole they missed. In this exclusive video, we show how easy it is to illegally stuff the locked ballot box.
Software-driven optical scanners and DREs conceal the way our votes are counted and expose our votes to unprotectable fraud because software can be rigged without detection. These facts are not debatable – dozens of reports by computer security experts confirm this. Matt Bishop, who headed the California Red Team that studied Sequoia, Hart and Diebold/Premier voting systems summarized the problem this way:
“The use of computers in performing voting and tallying introduces serious concerns about the integrity and confidentiality of the voting process.”
In May of this year, the National Science Foundation’s ACCURATE Center advised the U.S. Election Assistance Commission (EAC):
“Of course, numerous studies have shown that currently deployed voting systems are susceptible to undetectable malicious attacks…”
Various states propose to compensate for this huge ‘black hole’ of unpreventable computer fraud by hand counting some of the ballots – and, in the case of New York, within 15 days after the election. But this newly discovered ballet-stuffing hole will foil the manual audit. Ballot stuffing can disrupt a post-election audit, trigger an expanded audit when count discrepancies are discovered, and then produce a fraudulent recount of all the ballots.
Regardless of how the ballots are stored, a post-election manual audit of the machine count is fatally flawed because we simply cannot know whether anyone tampered with the post-election ballots. Once the ballots leave the poll site, who’s to say someone didn’t alter, substitute or destroy them? How will anyone know which ballots were scanned and which ballots were illegally stuffed at some point prior to the hand count? Legitimate ballots cannot be discerned from fraudulent ones.
Dependence on mutable software is precisely what the post-election audit is intended to prevent. A ballot box that can be stuffed defeats this faux safeguard, rendering the entire electoral system unreliable. New York courts have always comprehended why post election ballots can never be sufficiently protected from tampering. A ballot stuffing hole right into the ballot box is the perfect metaphor for these unsecurable, shoddy voting machines and precisely why such theft-enabling systems must be banned from counting our ballots.
When asked on August 7th about the slotted hole enabling ballot stuffing, a Dutchess County election worker advised, “Yeah, we noticed that. We’ll have to address that.”
Perhaps the best response is to wholly reject theft-enabling voting systems.
2. Illegal Network and Internet Access Capability
Despite that New York bans network and internet access capability in its voting machines, Sequoia/Dominion BMDs come equipped with USB and network ports, accessible by removing eight Phillips screws. In its August 8th weekly status report, the New York State Board of Elections (SBOE) confirmed in the documentation what we witnessed on the machine:
SysTest has identified a risk regarding Sequoia/Dominion’s documentation, which is written for installation to a network server. The installation to a standalone system is different, and will require updates to the installation documentation.
This illegal feature facilitates network and wireless internet access. It also allows portable hard drive access through which malicious code can be inserted to subvert the vote count in what is called a “sneakernet” attack. Hackers can easily corrupt the software that counts the votes.
Perhaps Sequoia/Dominion simply doesn’t care that New York bans network capability, and ordered standalone voting systems. Maybe it hopes to lobby a change in the laws. Maybe they thought network capability would escape notice. Or maybe they believe eight Phillips screws can secure the system from network or wireless access.
3. Shoddy Product
“The voting industry sells crap, and that is the problem,” explained frustrated SBOE Co-Chair Douglass Kellner. On July 1st, we reported that 85% of Sequoia’s BMDs delivered to Nassau County failed to operate or were damaged beyond use. Two weeks later, Wired reported a 50% statewide failure rate for the 1,500 machines delivered to date. Printer failures, printer jams, failure to boot up, broken monitors, misaligned printer covers, and easily broken seals comprise most of the failures.
In its August 8th report to the court, the SBOE advised that printer jams continue to occur with the new BMDs, and counties continue to report printer failures after being approved by the State. Bear in mind – the main function of this $12,000 device is to print a ballot. How do these machines continue to pass inspection?
4. Don’t Test Your Machines, or We’ll Sue You
In the February 2008 New Jersey primary, 60 Sequoia machines reported conflicting vote totals. When Union County sought to have Princeton University computer security experts Ed Felten and Andrew Appel review the machines, Sequoia threatened suit. In this video interview by Jacob Soboroff of www.WhyTuesday.org, Felten explains the details (starting at about 4:23).
Now, if a piece of publicly owned equipment doesn’t work, why would the vendor threaten suit if election officials wanted an independent test? Why would election officials back down? It’s only our sovereignty at stake, here.
5. Can’t Document the Software
Now that Sequoia/Dominion has shown it can’t make a physically secure ballot box, how can we trust the software it wrote? We can’t. Not only do its machines fail to add correctly, but New York’s testing of the Sequoia/Dominion ImageCast revealed hundreds of source code and documentation discrepancies. In discussing the standards software driven voting systems must meet, Commissioner Kellner explained on July 23rd:
“The industry and the Department of Justice will argue that if every other state is using equipment that does not comply with current federal standards, why should New York be the exception? I believe that there is still strong bi-partisan consensus within New York that we should stick to our policy that newly purchased voting equipment meet all of the currently applicable standards.”
However, even New York’s standards, if somehow met, would not secure these systems from fraud. Dan Wallach, a Rice University computer security expert, has examined electronic voting systems since 2001, and has testified about voting security issues before governmental bodies in the U.S., Mexico and the European Union. Quoting from a May 2007 interview:
“This is a classic computer security problem. Whoever gets into the machine first wins. So if the Trojan horse software is in there first, you ask it to test itself, it will always lie to you and tell you everything is fine. And no matter what testing code you try to add after the fact, it’s too late. It can now create a world where the testing software can’t tell that the machine has been compromised, even though it has.”
When testifying before the National Institute of Standards and Technology (NIST) and the EAC’s Technical Guidelines Development Committee, Wallach stated:
“[W]hile ‘logic-and-accuracy testing’ can sometimes detect flaws, it will never be comprehensive; important flaws will always escape any amount of testing.”
No amount of software testing will ensure that errors or malware do not exist before, during or after an election. Because of its undetectably mutable and unstable nature, software can never provide us with a rational basis for confidence in reported election results. Running democratic elections on software is the worst possible choice of all technologies available to us.
6. The Sequoia/Dominion BMD May Be a Hybrid DRE-Optical Scan System
During our investigation, we came upon another horrifying discovery. When Dominion showcased its ImageCast system in Florida in 2007, Pam Haengel and Dan McCrea of Florida Voters Coalition (FVC) posted a video of the demonstration. Haengel recently shared her impressions of this all-in-one voting system:
“In thinking about that mini-touchscreen, I distinctly recall them saying you could correct errors on your ballot with the touchscreen OR have the machine reject your ballot and do the whole thing over.”
FVC President Dan McCrea concurs:
“It certainly could be a DRE integrated into an optical scanner – i.e. a TABULATING ballot marking device. We were given no assurance that was not the case and of course any isolation between the ballot marking features and the tabulating features would have to be explicitly required by spec and regulation and tested for in certification, in my opinion.”
The system set up for New York currently does not use the 4×6″ mini touchscreen, but it is troublesome that this BMD has the capacity to operate as a DRE, which activists fought so hard to have banned in New York. Given the hundreds of documentation discrepancies discovered so far, can we trust that the BMD is not a DRE hybrid?
Quis custodiet ipsos custodies?
In SysTest Labs under Fire, we detail an ongoing investigation into this federally accredited voting systems certification lab responsible for certifying the Sequoia/Dominion BMD in New York. The lab is accused of failing to document and validate its test methods, and of using unqualified personnel. Emails from the lab also indicate possible collusion with another voting system vendor, ES&S, whereby SysTest’s “test approach takes into consideration” actions that will “ensure certification.” The EAC cites a situation where SysTest may be:
‘allowing and inviting manufacturers to play an inappropriate role in the development of test plans’ which ‘would be a significant violation” of ISO and NIST rules, ‘and as such could affect SysTest’s accreditation status.’
On August 11th, SysTest assured the New York SBOE that all allegations are unfounded. Meanwhile, the EAC and NIST have placed SysTest on administrative oversight and are currently reviewing all future testing plans. These violations, if true, could result in revocation of SysTest’s accreditation as a federal voting system certification lab.
But Americans should note that the guidelines being used to certify our nation’s voting systems are worthless according to many experts. David Wagner testified in 2007 before the Committee on Oversight and Government Reform, Subcommittee on Information Policy, Census, and National Archives, U.S. House of Representatives:
“In my research into electronic voting, I have come to the conclusion that the federal certification process is not adequate. The testing labs are failing to weed out insecure and unreliable voting systems. The federal certification process has approved systems that have lost thousands of votes, systems with reliability problems, and systems with serious security vulnerabilities. Over the past four years, independent researchers have discovered security vulnerabilities in voting machines used throughout the country-vulnerabilities that were not detected by state and federal certification processes.”
This situation certainly begs the question, how can states rely on SysTest’s independence and competency in testing voting systems? How can we rely on any of the federal testing labs?
We Deserve the Best
Computerized voting system experts have been decrying these systems for years. The solution offered by most experts is software independence – in other words, do not rely on software-calculated results. And if we can’t rely on software driven results, why bother using these systems? They are outrageously expensive and their very presence invites massive fraud.
Whatever election system is adopted, it must be designed to detect and prevent fraud. We should not contract with a vendor that can’t build a system that complies with state laws, can’t produce a product that works more than half the time, can’t accurately document its product, and can’t even build a secure ballot box. We are entitled to the best system we can design for something as sacred as public elections, on which our very sovereignty rests.
Joanne Lukacher and Howard Stanislevic contributed to this article.
To stop computerized voting systems from being deployed in New York, sign this petition.