While it's difficult to believe some of the more conspiracy-minded theories that have gone around concerning voting results from Ohio in 2004, the simple fact that there's absolutely no way to go back and review the results highlights exactly the problem with e-voting machines. Ohio's current secretary of state has now declared some of the machines used in the '04 election as a crime scene to be investigated, but everyone admits that there's little to no chance of being able to recreate what actually happened on election night, and no way to tell if the machines acted properly or if they malfunctioned. And, if they did malfunction, there's no way to tell if it was due to an accident or something underhanded. In other words, whether or not everything worked great or everything worked terribly, there's simply no way to tell. That is why so many of us have trouble with the concept of e-voting machines. Even if they work perfectly, there's no way to confirm that -- and it just leads to more speculation and conspiracy theories about "stolen" elections.

Earlier this year, California found all sorts of problems with e-voting machines used in the state. Now, Ohio, home to some of the more controversial stories surrounding presidential elections, has also found serious flaws in every e-voting machine used in the state. It's the usual stuff that has been pointed out for years: it was easy to pick locks on the machines, introduce fake votes, and load up dangerous unauthorized software onto the machines. Not much new there -- just another confirmation. What's much more interesting is the reaction of the firms involved.

First up is "Premier Election Solution," who you probably would recognize better under its old name: Diebold. The company changed its name a few months ago, hoping people would no longer associate Premier with all of the ridiculously bad history associated with Diebold. A Premier official said that all of the problems noted in the report have been fixed in its new machines. While that's a better response than Diebold's typical response of trashing any researcher who points out a flaw or cracking jokes about the flaws, it's one of the few times we've ever seen Diebold/Premier admit that older machines actually did have significant flaws. Of course, the few times that's happened in the past, it's always come with the same sort of "but everything is fixed now!" clause. And... every time a Diebold/Premier representative says something along those lines, it's only a matter of months until new flaws are announced. So, given Diebold's history, it's pretty difficult to take the company's word that all the flaws have now been fixed.

Even worse, though, is the response of ES&S, who has become even more Diebold-like in its responses to various problems found in its machines. On the Ohio report, ES&S responded: "We can also tell you that our 35 years in the field of elections has demonstrated that Election Systems and Software voting technology is accurate, reliable and secure." Note that this doesn't actually respond to any of the specific criticisms in the report. As for that history, let's take you back to a few of ES&S's greatest hits: this is the company that was caught providing uncertified software to California, while also failing to disclose foreign manufacturing partners (as required by federal law). It's also the company responsible for the well-known case in Florida where thousands of votes went missing and the election in Texas where votes were counted three times. And, of course, let's not forget the internal memos at ES&S which showed the company knew about problems with its software, while publicly stating that the machines were perfectly fine. So, sorry, ES&S, you can try to pretend those things didn't happen, but the history you point to hardly shows that your machines are "accurate, reliable and secure." It shows a company that will say anything to avoid admitting that its machines have problems.

Joseph Beck writes "Here in the Cleveland area there are a few election races that must be recounted because the final results were close. The county uses touchscreen machines from Diebold. The machines print a paper ballot that is reviewed by the voter. State law calls for those paper ballots to be used for the recount. The problem is, some of those ballots did not print properly because of paper jams and malfunctions, and are not readable. The Ohio Secretary of State has declared that those votes can be counted by simply reprinting the paper ballot from the memory card. Of course that defeats the purpose of a voter-verified audit trail, but she says it is acceptable. The next day the news came out that the number of unreadable ballots was actually 20% of all ballots. A spokesman for Diebold said "That is a percentage that prompts us to do further investigation." I'm sure they'll get right on it."

Anyone want to take odds on how long it will take before Diebold or another e-voting supporter uses this failure as an example of why they were better off without a voter-verifiable paper trail in the first place? Diebold and others have always used the "well, paper receipts jam" excuse in the past, meaning the companies have little incentive to come up with ways to prevent such paper jams.

For quite some time now, we've been pointing out how ridiculous it is that state after state after state passes "for the children" laws which clearly are unconstitutional. These laws are always thrown out by the courts. It's a total waste of taxpayer money, as the state needs to go to court to defend the law, only to have it thrown out (it's even worse when they go on to appeal). The politicians don't care. They just want to pass the law so they can show voters in their district that they're "protecting the children." Who cares if they're not actually protecting any children and actually really just wasting taxpayer money? The latest state to go through this process is Ohio -- and now reporters are finally starting to ask how much are these bogus laws costing taxpayers to defend in court? It probably won't stop politicians from passing these laws, but it's about time the press started asking this question directly to the politicians.

Another day, another security problem with e-voting machines. Obviously, one of the biggest requests from people who were nervous about the security of e-voting machines was that all e-voting machines have a verifiable paper trail. Then, at least, there's a way to recount the votes if there are any questions. Unfortunately, even when the e-voting companies finally do add a paper trail, it seems that they muck up the process. As was noted in the recent security analysis of these machines, many of the problems are because they weren't designed from the ground up with security in mind, but rather have security procedures slapped on as extras.

In this case, some Ohio activists discovered that the paper trail coming from e-voting firm Election Systems and Software (ES&S) happen to have time and date stamps on them. Those ballots are available for anyone to look at, based on election law in Ohio. Also available for anyone to peruse are the voter sign-in logs. With both of those in hand, it's not hard to put together a pretty decent list of who voted for what. You just match up the names in the order they signed in with the timestamp on the ballots.

Of course, rather than responding to this as they should, by admitting it was a bad idea, ES&S sends out their PR people to say it's no big deal. While ES&S is right that it might not always be possible to do an exact match person to person, you can come pretty close -- and that should be seen as a huge concern. Furthermore, as Ed Felten points out, the other e-voting firms aren't much better, and Diebold (or Premiere, or whatever its new name is) appears to be outright lying skirting the truth when it claims that its paper trail doesn't include timestamps (update:: Ed Felten points out that the Diebold ballots don't have a time stamp, but the electronic records do). It's not hard to see how this happened, but the continued denial and stonewalling from the e-voting companies, rather than admitting a mistake was made and explaining how they're going to fix things, really is troubling.

You might remember the recent data leak in Ohio, where personal info on a million or so people was lost, after a storage device containing it was stolen from an intern's car. The intern, who apparently took the device home with him as part of a security protocol, has now been fired by the state, and says he's being made the scapegoat for the loss. Despite the governor's claims to the contrary, of course the intern's being scapegoated, even though he apparently was just doing what he was told. That's how things work with data leaks: the buck is passed, and responsibility shirked. In this instance, the state can say the responsible party has been fired, glossing over the fact that he was apparently just following directions he'd been given, and that the real problem here was a flawed security plan that was either devised by an idiot, or, more likely, by somebody who didn't take the security of other people's personal info very seriously. That's the problem here: nobody seems to care when it's other people's data. There are never any real ramifications from these leaks, as long as companies or governments are seen to have some security plan in place, even if it's not a good one. Until that changes -- and the scapegoating and responsibility shirking stops -- data leaks and breaches are going to keep on coming.

Back in June, the state of Ohio said it had lost the personal information of some 64,000 state employees, after a storage device was stolen from an intern's car -- which, apparently according to its security protocols, was a suitable off-site storage location. The state dutifully followed the usual plan of releasing another announcement raising the number of people whose information was lost, putting it at 500,000. Turns out that was a little conservative; the state now says the figure is closer to one million, nearly 16 times the original claim. The governor and his staffers claim that nobody appears to have used the stolen information yet, and that it would take somebody with "special knowledge and understanding" to access it. Of course, coming from a place where storing stuff in an intern's car is regarded as secure and safe, that claim doesn't carry a lot of weight -- nor does it make up for the egregious breach that occured.