E-voting predicament: Not-so-secret ballots

From: Charlie Strauss <cems_at_earthlink_dot_net>
Date: Tue Aug 21 2007 - 00:35:50 CDT

Long ago we discussed the possibility of reverse engineering ballots
to voter association ad nauseum on OVC discussions. And whenever I
spoke with vendor reps I asked them what steps they used to sever the
ballot order record from the ballots. All of them, es&s included
assured me about how they randomized the ballot order in memory,
etc... Well apparently they were not telling the whole truth. (see
article below) In the case of ES&S the concurrent logfile preserves
the order. As does diebold. I guess this is really no surprise
given that they also thought paper tapes were safe enough too.

The question one needs to ask is how can we design a poll book sign
in that does not preserve order. One such method is to have folks
sign in next to an alphabetized list and no record left of the order
they signed in. I've signed in on such lists but I can't be sure
there were not other records kept. It gets trickier for early voting
since there are so many different ballot styles order gets partly
preserved. And even statistical order recovery could be of high
value as has been demonstrated in the last couple federal elections
using voter targeting via databases of voter preference indicators.
The question is, would such a poll book create more problems for
security or open unconsidered avenues for stuffing?

OVC of course has a mandatory witnessed shuffling step.


  E-voting predicament: Not-so-secret ballots

  By Declan McCullagh

  Story last modified Mon Aug 20 09:06:52 PDT 2007

Ohio's method of conducting elections with electronic voting machines
appears to have created a true privacy nightmare for state residents:
revealing who voted for which candidates.

Two Ohio activists have discovered that e-voting machines made by
Election Systems and Software and used across the country produce
time-stamped paper trails that permit the reconstruction of an
election's results--including allowing voter names to be matched to
their actual votes.

Making a secret ballot less secret, of course, could permit vote
selling and allow interest groups or family members to exert undue
pressure on Ohio residents to vote a certain way. It's an especially
pointed concern in Ohio, a traditional swing state in presidential
elections that awarded George Bush a narrow victory over John Kerry
three years ago.

Ohio law permits anyone to walk into a county election office and
obtain two crucial documents: a list of voters in the order they
voted, and a time-stamped list of the actual votes. "We simply take
the two pieces of paper together, merge them, and then we have which
voter voted and in which way," said James Moyer, a longtime privacy
activist and poll worker who lives in Columbus, Ohio.

Once the two documents are merged, it's easy enough to say that the
first voter who signed in is very likely going to be responsible for
the first vote cast, and so on.

"I think it's a serious compromise," said David Dill, a Stanford
University computer science professor who has followed electronic
voting issues closely. "We have a system that's very much based on
secret ballots. If you have something where voters are involuntarily
revealing their votes, it's a very bad practice."

Moyer and fellow activist Jim Cropcho tested this by dropping by the
election office of Delaware County, about 20 miles north of Columbus,
and reviewing the results for a May 2006 vote to extend a property
tax to fund mental retardation services (PDF). Their results indicate
who voted "yes" and who voted "no"--and show that local couples (the
Bennets, for instance) didn't always see eye-to-eye on the tax.

Patrick Gallaway, communications director for Ohio Secretary of State
Jennifer Brunner, a Democrat, said on Friday that his boss had
already been planning to begin a "comprehensive" review of e-voting
machines as part of a campaign pledge she made before taking office
in January. He said the review now is likely to include a look at the
ES&S voter privacy concern as well.

ES&S machines are used in about 38 states, according to the Election
Reform Information Project, created by the Pew Center on the States.
Of those states, Arkanasas, Iowa, North Carolina, Ohio, and West
Virginia are among those using ES&S iVotronic machines with paper
audit trails.

Other suppliers of electronic voting machines say they do not include
time stamps in their products that provide voter-verified paper audit
trails. Sequoia Voting Systems and Hart Intercivic both said they
don't. A spokesman for Diebold Election Systems (now Premier Election
Solutions), said they don't for security and privacy reasons: "We're
very sensitive to the integrity of the process."

An ES&S spokeswoman at the Fleishman-Hillard public relations firm
downplayed concerns about vote linking. "It's very difficult to make
a direct correlation between the order of the sign-in and the
timestamp in the unit," said Jill Friedman-Wilson. (ES&S iVotronic
machines are used in 10 Ohio counties, mostly in the center of the
state, according to a map on the BlackBoxVoting.org watchdog site.)

"That is so fatally flawed," Friedman-Wilson said about Moyer's and
Cropcho's analysis. "It doesn't take into consideration any of the
times that there would be interaction with a voter and a poll worker
before the ballot is activated." As for the interaction of Ohio open
records law with ES&S logs, she said that "it is most appropriate
that the secretary of state's office and others who are responsible
for carrying out elections respond to questions regarding Ohio
election law and procedure."
Timestamps + Ohio law = trouble

One explanation is ES&S had never expected that the paper with the
time stamps, known as a voter verified paper audit trail, or VVPAT,
would be made public under state open records laws.

A report evaluating ES&S security prepared by Compuware auditors two
years for the Ohio secretary of state--marked "Confidential" but
available on the Internet (PDF)--does warn about keeping electronic
time stamps. It says that the electronic representation of votes,
called the Cast Vote Records, "should not have time stamp associated
with it" and must be randomized to protect privacy.

But the auditors viewed timestamps on the physical printout, called
the audit log, as needed to detect "tampering" with the ES&S
iVotronic hardware. "All actions to the iVotronic are recorded in the
audit log with a time stamp," the report said. "This includes opening
and closing the polls, voting, inserting invalid voting cards, loss
of power, and supervisor access."

David Wagner, a professor of computer science at the University of
California, Berkeley, said electronic storage of votes in the order
that voters cast them is a recurring problem with e-voting machines.

"This summer I learned that Diebold's AV-TSX touchscreen voting
machine stores a time stamp showing the time which each vote was
cast--down to the millisecond--along with the electronic record of
that vote," Wagner said in an e-mail message. "In particular, we
discovered this as part of the California top-to-bottom review and
reported it in our public report on the Diebold voting system.
However, I had no idea that this kind of information was available to
the public as a public record."

The July 20 report on Diebold (PDF), written by Wagner and five
Princeton University researchers for the California secretary of
state, cites the electronic time stamp as a voting privacy concern.
"If the time when each voter checks in is recorded in the poll log
book, an attacker with access to the log book could correlate this
data with the timestamps to determine how voters voted," the report
says. "Alternatively, observers in the polling place could note the
time when target voters cast their votes and find the corresponding
vote records in the ballot results file."

Ohio law allows just this. Section 3501.13 of state law says "the
records of the board and papers and books filed in its office are
public records and open to inspection." Anyone who interferes with
the public's right to inspect the records, in fact, is guilty of a

Of course, the correlation may not be perfect. If Voter No. 1 signs
in but gives his space in line to Voter No. 2 who's in a hurry, a
reconstruction of the votes based on public records will incorrectly
identify their votes.

Having multiple machines and multiple lines can also create a
randomization effect, but Moyer says that in his experience as a poll
worker there's only one line that feeds into multiple machines. In
addition, he says, poll workers log the voter into the ES&S
iVotronic, which starts the time-stamped entries and means there's no
additional randomization of voters taking different amounts of time
to start the process.

A uniquely Ohio problem?
  Even though other states do use the ES&S iVotronic paper trails,
they don't necessarily make them available for public perusal.

Natasha Naragon, a spokeswoman for the Arkansas secretary of state,
said she knew of no way to disable the time stamps on the voting
machines' printed output. But, she said, "our law does not allow for
public access to our voted ballots" and said they remain sealed
unless there's a recount.

Iowa's procedures seem designed precisely to avoid the Ohio
situation. "Iowa has an administrative rule, because the paper trail
is in voter sequence, that prohibits providing to any of the bodies
that have access to the paper rolls any information that would allow
them to link individual ballots on paper roll to the voters," said
Sandy Steinbach, the state's director of elections.

Computer scientists and security experts say restricting the public's
access to e-voting paper trails by tinkering with open records laws
is insufficient--it doesn't protect against, for instance, an insider
perusing the ballots and reconstructing them.

They do say paper trails are necessary to provide a physical check on
what could be a buggy or maliciously programmed machine. But they
offer three suggestions: deleting the time stamp, not keeping a list
showing in which order people vote, and adding a paper slicer and
shuffler to randomize how the physical audit trail is recorded.

Lorrie Cranor, director of the Usable Privacy and Security Laboratory
at Carnegie Mellon University, says that "you need to have mixing
either in the recording of the orders of the voters or the votes, or
preferably both."

"Audit trails are really important, but so is privacy," she said.
"Many of the vendors of (e-voting machines) have actually put ID
numbers on the paper records, which also could be used to reconstruct
which voter is associated with a vote."

Moyer and Cropcho have posted a summary of their findings on their
Web site, ThePublicBallot.org.

For its part, ES&S claims that printing out time stamps is
recommended by standards adopted in 2002 by the Federal Election

ES&S spokeswoman Friedman-Wilson pointed to two sections of the
standards, one of which says "all audit record entries shall include
the time-and-date stamp." The other says error messages, critical
system status messages, and a record of a voter "activating and
casting each ballot" should be part of the audit log. (It does not,
however, explicitly mandate that the outcome of the vote be printed.)

"Because the voter verifiable paper audit trail is one element of the
audit function of a voting unit, one could interpret these guidelines
as requiring the time stamp have citations within the guidelines,"
Friedman-Wilson said in an e-mail message.

Now on News.com
Cisco, Microsoft: Cozy competitors LCD TV buyers tune in Vizio
Performance rules in processor arena Extra: Scientists: Clamping
down on messaging

Johnnie McLean, the deputy director of the North Carolina Board of
Elections, said: "Our public records laws don't include that paper
record. A voted ballot is considered confidential." In West Virginia,
secretary of state spokesman Ben Beakes said: "There would be no way
to match the time with the voter because in our poll book system, all
you would find is an alphabetical list of the people they voted, not
the time they came into the polling place."

Ohio, by contrast, may be unique. "It's my understanding from our
legal staff that a public document consists of anything that is in
the public domain," said Gallaway, the secretary of state's
communications director. "I think that both of those (the time-
ordered poll books and the time-stamped paper trail) would be
considered that."

That has left computer scientists, already alarmed about the security
of e-voting machines, dismayed at the interaction between time stamps
and Ohio laws. "Security and privacy and the integrity of the voting
system depend not only on the technology, but also on the procedures
and the combination of the two," said Stanford's Dill. "This is a
case where the combination of technology and procedures are working
together to create a privacy threat."

CNET News.com's Anne Broache contributed to this report

Copyright ©1995-2007 CNET Networks, Inc. All rights reserved.


OVC-discuss mailing list
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Fri Aug 31 23:17:06 2007

This archive was generated by hypermail 2.1.8 : Fri Aug 31 2007 - 23:17:07 CDT