Techdirt. Stories about "es&s"

Cause For Concern: 'Experimental' Patches Applied To Ohio Voting Machines Without Certification

Mike Masnick — Tue, 6 Nov 2012 11:28:55 PST

Update: Just as this post went out, the ruling was released—the judge has rejected the claims.

While we've covered e-voting issues for years, it really did seem like the issues with e-voting machines were less this year than in the past. Except... maybe not. ES&S, the largest vendor of e-voting machines, who has a long and scary history of problems with their machines, is embroiled in yet another controversy, in which Ohio's Secretary of State, Jon Husted, had the company install "experimental" software patches on ES&S vote counting machines (not the voting machines themselves, but the tabulators). The software is uncertified and likely violates the law.

Husted's office has not inspired confidence with its responses to these charges:

The Secretary of State’s office has been evasive and contradictory in response to questions about the minor seeming change that involved converting results from xml to csv format. Apparently, by calling the software “experimental,” Husted was attempting to avoid any approval, review or testing of the new software. But as the federal Elections Assistance Commission titled a memo back in February , “Software and Firmware modifications are not de minimis changes.”

In the meantime, a court is set to rule on the challenge to the software any time now, and a ruling against the software patches could make counting the votes tonight a more complicated process -- but considering the concerns, a reasonable solution. Today, the judge rejected the challenge to the software.

Oh, and while this story is making the rounds, we have no idea what to make of the video of an e-voting machine that votes for Romney if you click on Romney or Obama. There have been some questions as to whether the video was real, but reporters have confirmed that the machine (in Pennsylvania) has been "taken off line." The writeup on that one suggests it's not just a touch screen calibration issue, because the guy who filmed it said that if you touch other candidates, the same offset doesn't happen.

Permalink | Comments | Email This Story

Why Isn't There A Central Database Of E-Voting Problems?

Mike Masnick — Thu, 16 Sep 2010 20:02:48 PDT

For many years, we've been reporting on stories of e-voting malfunctions, mainly from Diebold/Premier, ES&S and Sequoia. For a sampling of such stories click on any of the following links: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25. And that's just the first 25 I found (there are lots more), and only cover stories that I actually covered. I'm sure plenty more glitch-infused elections have happened. Given all these glitches and errors, and a seeming lack of followthrough to make sure they don't happen again, a group is asking Congress to authorize a public national database of e-voting election problems.

The really scary part is that the researchers who wrote the report note that many of the problems are repeats -- a problem happens in one location, but another voting district uses the same machines configured in the same problematic way in another election, totally unaware of the problems it will cause. It's still amazing that after nearly a decade of examples of problems with e-voting, just how little has been done to fix these machines.

Permalink | Comments | Email This Story

Did South Carolina Use Second-Hand E-Voting Machines That Louisiana Decertified?

Mike Masnick — Wed, 16 Jun 2010 07:34:07 PDT

The election situation in South Carolina keeps getting stranger. Last week, we noted how the controversial election of Alvin Greene, a broke, out of work guy currently facing felony obscenity charges, who did no campaigning and no advertising of his campaign, had people looking at the e-voting machines in the election as one possible culprit. The ES&S iVotronic machines used in the election have no paper or audit trail, so there's really no way to go back and check, but the differences in voting patterns between the e-votes and absentee ballots certainly raised some eyebrows, as did a test of randomness in voting results using Benford's law (a useful tool for suggesting data was faked).

Now, reader Pickle Monger alerts us to the news that the previously expected winner of the campaign, Vic Rawls, is claiming that the ES&S e-voting machines used in the campaign were bought secondhand from Louisiana after Louisiana outlawed their usage:

Third is the well-documented unreliability and unverifiability of the voting machines used in South Carolina. It is worth noting that these machines were purchased surplus from Louisiana after that state outlawed them.

In response, the state is insisting there is no truth to this claim at all:

South Carolina's election commission begs to differ about the provenance of the voting machines. Spokesman Chris Whitmire says the state's 12,000 iVotronic voting machines were bought brand-spanking-new from Election Systems and Software, an Omaha-based behemoth that boasts of operations in 39 states.

Rawls' campaigns' response is hardly reassuring:

"That was what the word around the state was -- heard it from several people."

In other words, total hearsay. I'm all for pointing out the problems of e-voting systems, and ES&S certainly does have an exceptionally long history of having problematic machines that have been decertified in certain states, but claiming that such machines were used in South Carolina without any evidence other than "heard it from several people," seems pretty silly.

Of course, South Carolina's election commission has its own credibility problems. Apparently, its been telling local news media that the iVotronic systems do have an auditable paper trail. They don't. They have a paper tally, but that's not the same thing.

Either way, if you've been following the whole e-voting mess for many years, this sort of situation was bound to happen. Even if it turns out that e-voting machines were not the problem, the very lack of a voter verifiable paper trail, combined with massive security problems and ridiculous levels of secrecy from the e-voting companies has created a world in which no one actually trusts those machines. Even if the results were accurate, the voting machine companies' own actions have created so much doubt in people's minds, that they don't trust the results at all.

Permalink | Comments | Email This Story

Justice Department Decides To Break Up E-Voting Company

Mike Masnick — Tue, 9 Mar 2010 00:50:41 PST

As was rumored at the end of last year, the US Justice Department has decided to break up Election Systems & Software (ES&S), the dominant e-voting provider in the country. You may recall that just a few months earlier, ES&S (who has a long and troubled history of inaccurate, buggy and insecure e-voting machines) had purchased the remains of Diebold's e-voting business for just $5 million. Of course, Diebold also had a long and troubled history of inaccurate, buggy and insecure e-voting machines, so the two made a perfect match. In both cases, the companies relied on security by stonewalling -- insisting that nothing was wrong, despite lots of proof to the contrary, and refusing to let third party security experts ever look at their machines. Rather than breaking up the companies, why don't the feds just require that any e-voting machine use open source software that can be tested by anyone?

Permalink | Comments | Email This Story

Justice Department May Unwind Diebold E-voting Sale To ES&S

Mike Masnick — Tue, 22 Dec 2009 03:42:46 PST

After getting hammered publicly for having e-voting machines that didn't work well and had serious security problems, Diebold tried sell off its e-voting division for years with no luck. It then tried to change its name to Premier, hoping people wouldn't realize it was Diebold. In the end, Diebold finally found a buyer in ES&S, the other large player in the market. Between them they own 70% of the US market, apparently. And that's leading to some concern. The Justice Department is apparently looking into the deal to see if it should be unwound, out of fear that ES&S will jack up prices.

Honestly, I don't see what the value is in unwinding the deal. Then you'll have two awful e-voting companies with terrible track records with security and accuracy, rather than one. Instead, why aren't we focusing on requiring truly open solutions so that we actually verify that an e-voting system is both secure and accurate?

Permalink | Comments | Email This Story

ES&S Sues Former Workers Over Taking Buggy, Vulnerability-Filled Code

Mike Masnick — Wed, 9 Sep 2009 04:55:00 PDT

Michael Scott alerts us to the news that e-voting firm ES&S has sued two former employees, claiming copyright infringement over code they took with them from ES&S, along with additional trade secrets. I have no idea whether or not this is true, but all I can ask is "why?" As has been documented time and time again, ES&S's e-voting code has a ton of problems. Remember, these are the machines that have been found to have serious security vulnerabilities, with some serious bugs, such as adding votes to the wrong election, calibration problems that lead to people voting for the wrong candidate, and bugs that resulted in phantom votes. And ES&S is the company that knew about some of these bugs, and let them be used in elections anyway. So if you were going to go off and start your own e-voting company (and it's not clear these individuals did that), wouldn't you be better off starting from scratch?

Permalink | Comments | Email This Story

Diebold Finally Dumps E-Voting Division... But Sells It To Equally Problematic ES&S

Mike Masnick — Thu, 3 Sep 2009 16:13:48 PDT

Ah, Diebold. One of the "big three" e-voting providers out there, its name was the first one that got associated with the problems of e-voting machines, despite problems being found across the board in players in that space. I could never understand why the company continued to fight and deny problems with its machines after so much evidence was presented against them. The smart move would have been to admit that the machines had problems, work with security experts to solve them, and come out with better, safer machines. But that's not what happened. Instead, it stonewalled, denied problems, mocked those who exposed security flaws and kept pushing out questionable machines. Eventually, the stories got so bad, that Diebold realized it was having a seriously negative impact on its other lines of business (including ATMs), so it renamed the e-voting division "Premier Election Solutions" (as if people would forget) and went about trying to sell the thing off -- though, for years it couldn't find any takers.

It took a while, but Diebold has finally found a buyer. ES&S has purchased Diebold's e-voting business for a mere $5 million plus some outstanding revenue. In classic Diebold fashion, the company has announced that it "would not be answering questions about the sale" -- because that's how you go about rebuilding trust.

Meanwhile, it's not like ES&S is any better. It, too, has had massive problems with its e-voting machines, while the company has a history of stonewalling attempts by gov't officials to review their code. Oh, and there's this: company memos showed that the company knew about some of the problems with its voting machines that were used in elections. And the most fun of all? When we questioned why e-voting companies didn't allow independent security researchers to examine machines, an ES&S employee showed up in our comments to call us all idiots.

Now, with the combined ES&S/Diebold/Premier, a ridiculous large percentage of the country's e-voting machines now belong to one company, with an amazingly long family tree of faulty machines and a history of attacking anyone who points out those flaws.

Permalink | Comments | Email This Story

Yet Another E-Voting Glitch; This One Adds 5,000 Phantom Votes

Mike Masnick — Tue, 9 Jun 2009 10:42:00 PDT

Another election using e-voting machines... and another set of stories concerning massive problems. Slashdot points us to the news that a local election in Rapid City, South Dakota, was about to go to a runoff after no one hit the 50% mark, when someone finally noticed that the 10,488 vote total seemed a bit high. So, they went back and recounted the actual ballots, and discovered only 5,613 people voted, but the software added up the votes incorrectly. Once again, we're left wondering why it's so difficult to do simple arithmetic -- and why e-voting companies like ES&S are so against allowing experts to look at their source code and maybe help catch some of these bugs before they totally screw up an election.

ES&S, of course, has been especially bad when it comes to transparency, despite numerous stories of glitches. It's also the company that had an employee stop by here on Techdirt, call us all "idiots" while insisting that the machines were perfectly fine and that the machines are "extremely scrutinized and very reliable" and anyone questioning their reliability was simply relying on "conspiracy blogs." Of course, his focus was on the idea that the machines were "hacked" -- a charge we never made. Our concern -- and the concern of many others -- are that the machines are unreliable, prone to errors and have serious security and process flaws. Considering how many stories we've seen of problems with those machines in real elections, that seems to be proven fact -- not "conspiracy."

And yet, ES&S has always resisted any real scrutiny. When California looked to investigate e-voting machines more fully, ES&S was the one vendor who held out for months beyond the deadline, before finally submitting its source code along with a threatening letter about how it would personally sue the Secretary of State if any of its trade secrets got out. Of course, soon after this, we found out that even its certified code didn't much matter, since it had given California machines with uncertified code for an election. In the end, not surprisingly, ES&S machines were found to have significant problems, and were decertified in California. Perhaps South Dakota should have taken note.

Permalink | Comments | Email This Story

Easy For Anyone To Recalibrate ES&S E-Voting Machines

Mike Masnick — Tue, 4 Nov 2008 07:54:00 PST

Following on our earlier story demonstrating the calibration errors on ES&S e-voting machines in West Virginia, comes this report that notes the calibration controls are not protected and accessible to anyone. In other words, a pollworker or even a voter could modify the calibration to make it more difficult to vote for a particular candidate. While the overall risk may be minimal (voters would still see whether the correct candidate was highlighted), it could significantly impact voters' confidence with the accuracy of these machines and the sanctity of the election. It's still rather amazing how many stories we see on a near daily basis concerning how badly these machines are built.

Permalink | Comments | Email This Story

Guy Who Insists E-Voting Machines Work Fine... Demonstrates They Don't

Mike Masnick — Wed, 29 Oct 2008 08:31:00 PDT

If someone pitched a movie based on e-voting machines that work as bad as the ones being used in the current election, the story would be dumped as being unrealistic. But truth is, indeed, often stranger than fiction. You may recall on Friday that we had a post about problems with e-voting machines in West Virginia selecting the wrong candidate when voters touched the screen. Various officials rushed to insist that there was absolutely nothing wrong. One, the local county clerk, Jeff Waybright insisted that the problems were "the result of voter error."

Well, it appears that a group called Video The Vote went and visited with Mr. Waybright as he showed them how the e-voting machines work, and perhaps the "human error" is on Mr. Waybright's part. The beginning of the video is troubling enough, as he brushes aside concerns while he shows a miscalibrated machine. He demonstrates how he clicks on one candidate and another is highlighted, in a tone of voice that suggests why would anyone possibly be upset or annoyed if that happened? He then oddly thinks the fact that his wildly miscalibrated machine enhances his point because when he clicks on Barack Obama's name, the actual name highlighted isn't McCain (of course, it's not Obama either, but he doesn't seem troubled by this). Waybright seems to think that the only complaint people are making is the fact that some tried to vote for the Democratic ticket and saw the Republican ticket show up -- when the real concern is simply the fact that when you touch one name, someone else's name is highlighted. Democrat or Republican really isn't the issue here.

However, then things get worse. After mocking the idea that anyone clicking on a Democratic ticket vote would get the Republican ticket vote, he shows how to correctly calibrate the machine, showing how easy it is to fix the "problems" of the miscalibrated machine. When he's done, to prove it works, he touches the box to vote for a straight Republican ticket ticket... and, wouldn't you know it, Ralph Nader's name is highlighted as the voter's choice. His response? "Oh, that's out of calibration!" as if it was no big deal, apparently missing the fact that he had just calibrated the machine. He then seems to think none of this is a big deal, because voters will see the misvote before they submit it, apparently unaware of the idea that many people are already quite distrustful of these machines, and seeing them highlight the wrong name over and over again will make them seriously question the legitimacy of the election.

Permalink | Comments | Email This Story

Surprise, Surprise: E-Voting Glitches Found In Early Voting

Mike Masnick — Fri, 24 Oct 2008 19:35:00 PDT

The GAO had warned that there would be some pretty massive e-voting problems this year, as election officials were not properly trained on the already problematic machines, so it should come as little surprise that over in West Virginia, the "early voting" procedures have resulted in numerous complaints that the e-voting machines selected the wrong candidate. The scenario is depressingly similar to the one that The Simpsons predicted, where the voter selects one name, and the other one shows up as highlighted. Poll workers told them to just keep clicking until the right one was chosen, and noted that the machines have "just been doing that."

What's more depressing is how everyone involved seems to brush this off as no big deal. Officials claimed that these "were isolated cases and that poll workers fixed the problems so the correct vote was cast." That may be true of the two people that CNN spoke too, but who knows if others got the machines to work properly. And then there's West Virginia's Secretary of State, Betty Ireland , who basically pulled a page from Sequoia's playbook, of covering her eyes and ears and screaming loudly that everything is fine:

"There are no problems with the machines as recalibrated. Touch-screen voting in West Virginia is accurate and secure."

Because you say so? As opposed to those who are actually voting and finding it's not? That's comforting.

In this case, the machines are supplied by ES&S whose machines (like both Sequoia and Diebold) have a relatively long history of screwing up at election time. ES&S is also the company where an employee of the company showed up here to berate us and insist that no independent experts should be allowed to look at the machines and that they were safe and reliable because those working at these firms knew better than the rest of us. It's as if the e-voting companies and the politicians think that if they just keep repeating it, maybe it will become true.

Permalink | Comments | Email This Story

ES&S E-Voting Machines Gave Votes To A Totally Different Election

Mike Masnick — Thu, 5 Jun 2008 07:56:00 PDT

You may recall last year that when we had a series of posts about the fact that e-voting companies refused to let independent security experts review their machines, we had a representative from e-voting firm ES&S show up in the comments and repeatedly berate us for not knowing what we were talking about. That individual insisted that the machines were perfectly well tested. He also insisted that elections using e-voting machines were "extremely scrutinized and very reliable." Of course, we haven't heard from that individual lately -- not since an independent review of ES&S's machines found that security was seriously lacking leading various states to quickly decertify many ES&S machines. Oops.

Reader Jose Luis Campanello writes in to point out a story we missed from last week, about how some ES&S machines used in a state primary in Arkansas didn't just screw up counting the votes, it assigned votes to a totally different election -- and those "lost" votes changed the result of the election. No one seems to have any idea how this is even possible, let alone how it happened. Somehow, I get the feeling that no representatives from ES&S will show up this time to tell us how their machines are perfectly reliable and don't need any kind of independent review. Luckily, in this case there was a voter-verified paper trail (which some insist are a bad thing), which allowed election officials to backtrack and figure out what had happened and correct the mistake. Without the paper trail, there would have been no way to have even realized this mistake happened.

Permalink | Comments | Email This Story

California Reviews... And Decertifies... More ES&S E-Voting Machines

Mike Masnick — Thu, 27 Mar 2008 12:57:00 PDT

Remember how e-voting firm ES&S was so against letting California's Secretary of State have an independent security team review their e-voting machines? Well, now we know why. The state had already released one damning security report and sued ES&S for giving the state uncertified machines. Now the state has come out with another report on more ES&S machines and the story gets worse and worse and worse. The good news is that California won't certify any of them. The bad news is that ES&S appears to not only be belligerent in not wanting to let California review its machines, but it also seems to be incompetent as well. As Dan Wallach notes in reviewing the report, ES&S appears to have outright ignored issues that the state asked them to address. As for the machines themselves? There seem to be all sorts of problems, including an awful lot of data stored in cleartext rather than encrypted, easily accessible and easily changed or corrupted data, and seldom-used and easily-broken password protection. Physical locks were all easily picked (some within 5 seconds, the rest within a minute). In other words, the security is a near total joke. This, despite the fact that people have been pointing out these kinds of security concerns for over five years. I wonder if the guy from ES&S who showed up a year ago and told us all we had no clue what we were talking about and swearing up and down that the machines were safe will come back and explain these latest results.

Permalink | Comments | Email This Story

New Study Shows Massive Error Rates In E-Voting Machines

Mike Masnick — Fri, 21 Mar 2008 19:42:00 PDT

Just as e-voting firm Sequoia is resisting having its machines reviewed independently, the Brookings Institute has put a bunch of e-voting machines to the test, and found error rates around 3% on some of the machines. These weren't errors due to software problems, but usability problems, where the design of the system resulted in people voting for a candidate they did not want. 3% is a huge number, and could easily change the results of an election. While the study found that people generally like e-voting technology, that still doesn't mean it's particularly effective. One other interesting part of the finding: when there was a voter-verified paper trail, it didn't cut down on errors. This suggests that many voters were either confused or didn't even bother to verify their vote. This should all be very worrisome. Even ignoring the technology problems that these machines have been shown to have, the fact that the design tends to create so many mistake votes should lead people to seriously question the use of e-voting machines.

Permalink | Comments | Email This Story

Ohio E-Voting Machines Declared A Crime Scene?

Mike Masnick — Tue, 18 Mar 2008 13:36:00 PDT

While it's difficult to believe some of the more conspiracy-minded theories that have gone around concerning voting results from Ohio in 2004, the simple fact that there's absolutely no way to go back and review the results highlights exactly the problem with e-voting machines. Ohio's current secretary of state has now declared some of the machines used in the '04 election as a crime scene to be investigated, but everyone admits that there's little to no chance of being able to recreate what actually happened on election night, and no way to tell if the machines acted properly or if they malfunctioned. And, if they did malfunction, there's no way to tell if it was due to an accident or something underhanded. In other words, whether or not everything worked great or everything worked terribly, there's simply no way to tell. That is why so many of us have trouble with the concept of e-voting machines. Even if they work perfectly, there's no way to confirm that -- and it just leads to more speculation and conspiracy theories about "stolen" elections.

Permalink | Comments | Email This Story

GAO Says E-Voting Machines Not The Problem In Florida; E-Voting Experts Not So Sure

Mike Masnick — Mon, 11 Feb 2008 05:30:23 PST

In the ongoing saga of the lost votes of Sarasota County Florida in the 2006 election, the Government Accountability Office (GAO) has now come out with a report suggesting that the e- voting machines were not to blame. This comes after another report last year also said the machines weren't to blame. However, that report came under some criticism as it only involved security folks looking at the source code, rather than actually getting to test the software on an e-voting machine itself. Similarly, this new GAO report is coming under some criticism as both David Dill and Ed Felten are questioning the methodology of the GAO's tests -- which do sound rather limited. Felten points out that ES&S (makers of the machines used in Sarasota) are likely to proclaim this a vindication. However, there are still plenty of additional questions -- and, most importantly, the very fact that it's been so difficult to verify how the voting turned out shows just how problematic these machines can be in managing a democratic election that the populace can trust to be both fair and accurate.

Permalink | Comments | Email This Story

Colorado The Latest To Ditch E-Voting Machines

Mike Masnick — Tue, 18 Dec 2007 21:47:00 PST

Just days after Ohio announced problems with all of the e-voting machines used in that state, Colorado has decertified e-voting machines from all four major vendors in the space, noting serious problems with them all, including a 1% error rate in counting ballots (1%!). So at what point do the e-voting companies stop stonewalling and finally just admit that they need to start again from scratch? At this point, it's beyond clear that none of these firms is even the least bit trustworthy -- and yet, they continue to protest these decertifications, despite piles upon piles of evidence that these machines have serious problems.

Permalink | Comments | Email This Story

Ohio Finds All E-Voting Machines In The State Had Serious Flaws

Mike Masnick — Mon, 17 Dec 2007 04:19:24 PST

Earlier this year, California found all sorts of problems with e-voting machines used in the state. Now, Ohio, home to some of the more controversial stories surrounding presidential elections, has also found serious flaws in every e-voting machine used in the state. It's the usual stuff that has been pointed out for years: it was easy to pick locks on the machines, introduce fake votes, and load up dangerous unauthorized software onto the machines. Not much new there -- just another confirmation. What's much more interesting is the reaction of the firms involved.

First up is "Premier Election Solution," who you probably would recognize better under its old name: Diebold. The company changed its name a few months ago, hoping people would no longer associate Premier with all of the ridiculously bad history associated with Diebold. A Premier official said that all of the problems noted in the report have been fixed in its new machines. While that's a better response than Diebold's typical response of trashing any researcher who points out a flaw or cracking jokes about the flaws, it's one of the few times we've ever seen Diebold/Premier admit that older machines actually did have significant flaws. Of course, the few times that's happened in the past, it's always come with the same sort of "but everything is fixed now!" clause. And... every time a Diebold/Premier representative says something along those lines, it's only a matter of months until new flaws are announced. So, given Diebold's history, it's pretty difficult to take the company's word that all the flaws have now been fixed.

Even worse, though, is the response of ES&S, who has become even more Diebold-like in its responses to various problems found in its machines. On the Ohio report, ES&S responded: "We can also tell you that our 35 years in the field of elections has demonstrated that Election Systems and Software voting technology is accurate, reliable and secure." Note that this doesn't actually respond to any of the specific criticisms in the report. As for that history, let's take you back to a few of ES&S's greatest hits: this is the company that was caught providing uncertified software to California, while also failing to disclose foreign manufacturing partners (as required by federal law). It's also the company responsible for the well-known case in Florida where thousands of votes went missing and the election in Texas where votes were counted three times. And, of course, let's not forget the internal memos at ES&S which showed the company knew about problems with its software, while publicly stating that the machines were perfectly fine. So, sorry, ES&S, you can try to pretend those things didn't happen, but the history you point to hardly shows that your machines are "accurate, reliable and secure." It shows a company that will say anything to avoid admitting that its machines have problems.

Permalink | Comments | Email This Story

ES&S Voting Machine Reviewed: Security Is Lacking

Mike Masnick — Tue, 4 Dec 2007 15:55:00 PST

ES&S is already involved in a lawsuit for providing uncertified software to California e-voting machines, but things keep getting worse for the company. Beyond all the other problems it's had with buggy machines and a defiant attitude towards anyone who questions the company, California has finally produced the independent security team review of the ES&S machines used in California and it's not pretty. You may recall that all of the other e-voting machines were reviewed by independent researchers four months ago. ES&S, however, wasn't included in that review because the company stubbornly refused to hand over its source code until well after the deadline, meaning that the review had to wait. However, the results are pretty similar to the other machines. The machine was clearly not built with security in mind, as both the software and the physical security were found to be lacking and easily violated in ways that would not leave much of a trace. At this point, none of this should be even remotely surprising. What still is surprising is why none of these firms will even admit that their approaches to date have fallen well short of what was necessary -- while committing to building new machines that actually have real security and accountability built in.

Permalink | Comments | Email This Story

California Sues E-Voting Firm That Threatened California's Secretary Of State

Mike Masnick — Wed, 21 Nov 2007 00:46:00 PST

Remember how e-voting firm ES&S originally refused to hand over its source code to California Secretary of State Debra Bowen? And, then, when it finally did hand over the code, how it did so with a petulent, threatening letter, warning her that they would hold her personally responsible for any disclosure of ES&S trade secrets? In retrospect, it probably wasn't such a good idea for the company to include those threats -- especially when the company had changed the source code on some of their machines without telling the state or bothering to have the new software re-certified. After an investigation, California has now sued ES&S for giving the state uncertified e-voting machines. Perhaps those were the "trade secrets" ES&S was so worried about Bowen leaking out. Or maybe it was how ES&S machines have been found in some cases to count votes in triplicate or not at all. Or maybe it was the trade secret involving how the company knew its machines were buggy and prone to problems. Or the one about how it "forgot" to disclose, as required by law, the fact that some manufacturing took part overseas.

As for ES&S's response to the lawsuit, the company appears to have two defenses. First, it claims that the software changes were only "minor" so it didn't need to inform the state. Unfortunately, that's not what California law says -- and it's difficult to see why anyone would think that ES&S gets to decide what software upgrades are minor or not. Even more troublesome is ES&S's second response, claiming that this lawsuit "isn't in the best interests of California voters" because disabled voters won't be able to vote with ES&S's machines. Unfortunately for ES&S, this isn't about helping disabled voters vote -- it's about helping them (and others) vote reliably and accurately in a way that the state has certified -- and on that point, it appears ES&S fails.

Permalink | Comments | Email This Story

What's More Important: Accurate Elections Or Fast Results?

Mike Masnick — Thu, 20 Sep 2007 15:24:00 PDT

As the debate continues over e-voting machines, we're seeing some more misplaced whining over attempts to make elections more fair and accurate. In San Francisco, election officials are complaining about the rules set by California's secretary of state, which will mean that this year's mayoral election ballots will need to be checked and counted by hand. Effectively, that means that results for the election won't be known for a few weeks -- rather than instantly. This leads to all sorts of whining and complaining from election officials about how unfair this is -- but since when should speedy results be more important than accurate vote counts? And, the problem is not the secretary of state at all (as the election officials imply). It's because of two separate e-voting firms who refused to take the necessary steps to make sure their machines could be properly reviewed.

First, there's Election Systems and Software (ES&S) makers of buggy e-voting machines (that they admitted in internal memos) that have been known to lose votes or count them in triplicate depending on the election. San Francisco currently uses ES&S machines to count ballots, but those machines don't work very well -- especially if the voter isn't using exactly the right type of pen or pencil. When the secretary of state demanded that ES&S allow outside security experts to examine their machines and software, the company refused to allow it, and then finally gave in, well past the deadline, and included an angry petulent letter threatening the secretary of state. This, despite the fact that the company was caught providing uncertified equipment for the last election. With all that baggage, is it any wonder that the secretary of state would ask for a more thorough method of counting the votes?

The second e-voting firm, Sequoia, was chosen by San Francisco as a replacement vendor to get rid of the questionable ES&S machines. Of course, Sequoia has its own share of problems. Last year it was revealed that there was a button on the machines that would put the machine into "manual" mode and let you vote multiple times. Sequoia claimed this button was a feature. Reasonably, San Francisco's board of supervisors requested that Sequoia hand over their software to be reviewed -- a request which Sequoia refused. Thus, the board rejected the contract... leaving everyone in the situation they're in today. So, while elections officials may complain about the rules for counting votes, it's not the secretary of state they should blame, but the e-voting companies who continue to stonewall when it comes to actually making sure their machines are secure and accurate. And, in the meantime, can someone explain to elections officials that their job is to conduct fair and accurate elections, rather than elections with quick results?

Permalink | Comments | Email This Story

ES&S Gave California E-Voting Machines That Weren't Certified

Mike Masnick — Wed, 22 Aug 2007 06:55:00 PDT

Well, the hits keep for Election Systems & Software (ES&S). The company was already facing some controversy over the fact that its e-voting machines time stamped the ballots in a way that could reveal how voters voted, and now California's Secretary of State has discovered that the company gave the state e-voting machines for the last election that were not certified. California had certified one model of ES&S machines, but the company sold a different model to five counties. The state is now looking to fine ES&S. Of course, ES&S is also the company that originally refused to hand over its source code to the state, but eventually did so along with a threatening letter about how it would hold the Secretary of State personally responsible for any trade secrets that leaked. Trade secrets like how their machines accidentally were found to count votes in triplicate? ES&S, by the way, is also the company whose machines were used in the Florida election where many votes went missing, and it was later discovered that the company had passed around memos about their buggy software that could have caused the problem. It's also the company that had an employee come here to Techdirt and post a bunch of angry comments about how e-voting machines were perfectly safe and went through more than enough testing. Apparently not in California. Update: As pointed out in the comments, the company also was just caught failing to disclose foreign manufacturing partners to federal agencies, as it's required to do. ES&S's response on being caught? Shrugged it off as an oversight that they would fix. It appears that the company doesn't seem to worry about getting punished for all its mistakes.

Permalink | Comments | Email This Story

E-Voting Ballots May Not Be So Secret; Paper Trail Takes Away Anonymity

Mike Masnick — Tue, 21 Aug 2007 06:36:00 PDT

Another day, another security problem with e-voting machines. Obviously, one of the biggest requests from people who were nervous about the security of e-voting machines was that all e-voting machines have a verifiable paper trail. Then, at least, there's a way to recount the votes if there are any questions. Unfortunately, even when the e-voting companies finally do add a paper trail, it seems that they muck up the process. As was noted in the recent security analysis of these machines, many of the problems are because they weren't designed from the ground up with security in mind, but rather have security procedures slapped on as extras.

In this case, some Ohio activists discovered that the paper trail coming from e-voting firm Election Systems and Software (ES&S) happen to have time and date stamps on them. Those ballots are available for anyone to look at, based on election law in Ohio. Also available for anyone to peruse are the voter sign-in logs. With both of those in hand, it's not hard to put together a pretty decent list of who voted for what. You just match up the names in the order they signed in with the timestamp on the ballots.

Of course, rather than responding to this as they should, by admitting it was a bad idea, ES&S sends out their PR people to say it's no big deal. While ES&S is right that it might not always be possible to do an exact match person to person, you can come pretty close -- and that should be seen as a huge concern. Furthermore, as Ed Felten points out, the other e-voting firms aren't much better, and Diebold (or Premiere, or whatever its new name is) appears to be outright ~~lying~~ skirting the truth when it claims that its paper trail doesn't include timestamps (update:: Ed Felten points out that the Diebold ballots don't have a time stamp, but the electronic records do). It's not hard to see how this happened, but the continued denial and stonewalling from the e-voting companies, rather than admitting a mistake was made and explaining how they're going to fix things, really is troubling.

Permalink | Comments | Email This Story

California Decertifies E-Voting Machines... Then Recertifies Them (With A Few Conditions)

Mike Masnick — Mon, 6 Aug 2007 12:41:41 PDT

Following the release of the various independent security reports last week on the e-voting machines used in Californa, the Secretary of State needed to decide by Friday night whether to keep the machines in use in the state. At 11:45pm, she decided to decertify the machines only to immediately recertify them if they made some security changes. Of course, it seems like the changes are simply patches, and as the original report noted, many of the security problems the machines have is because all of the security they've implemented was patched on as an afterthought. Until the machines are designed from the ground up with security in mind, it's not likely to really fix many of the vulnerabilities. But, in the meantime, there's an election coming up, and apparently a bunch of major security problems are no reason to get rid of the expensive e-voting machines the state has already purchased.

Permalink | Comments | Email This Story

Security Experts Able To Hack Into Nearly Every E-Voting Machine

Mike Masnick — Mon, 30 Jul 2007 21:44:00 PDT

Back in March, California decided that after years of negative publicity about the security of e-voting machines (and certainly enough evidence to suggest they weren't very secure) that it would allow independent security experts to try to hack into any machine before it got approval to be used in California elections. Those researchers have gone ahead and found that every machine they tested was hackable -- often very easily. The researchers were able to hack into Diebold, Sequoia and Hart InterCivic machines. They didn't get a chance to test ES&S machines because, as you may recall, ES&S stalled before handing over their source code (and included a nasty threatening letter with it). To be fair, these machines were tested in non-normal conditions, where the researchers had access to all sorts of documentation, the full source code and no election going on where people might spot them tampering with a machine. That is, this doesn't mean that it's necessarily easy to hack an election. It just means that all of the machines have some insecurities -- most of which we didn't know about before. The key here is that we can now understand these insecurities and whether or not they're adequately protected by other measures. What still doesn't make sense is why the e-voting firms are so against this process. All it's really doing is helping those companies improve their products to make them more secure. Of course, one key reason is that the researchers found that many of the security problems are because the machines weren't built with security in mind -- but only had it added as an afterthought. In other words, these companies probably should be redesigning their machines from scratch, which they don't want to do. Of course, does it worry anyone else that the machines weren't designed with security in mind in the first place?

Permalink | Comments | Email This Story