October 14, 2024

Posts Comments

The continuing saga of Sarasota's lost votes

February 8, 2008 by

At a hearing today before a subcommittee of Congress’s Committee on House Administration, the U.S. Government Accountability Office (GAO) reported on the results of their technical investigation into the exceptional undervote rate in the November 2006 election for Florida’s 13th Congressional District.

David Dill and I wrote a long paper about shortcomings in previous investigations, so I’m not going to present a detailed review of the history of this case. [Disclosure: Dill and I were both expert witnesses on behalf of Jennings and the other plaintiffs in the Jennings v. Buchanan case. Writing this blog post, I’m only speaking on my own. I do not speak on behalf of Christine Jennings or anybody else involved with the campaign.]

Heavily abridged history: One in seven votes recorded on Sarasota’s ES&S iVotronic systems in the Congressional race were blank. The margin of victory was radically smaller than this. If you attempt to do a statistical projection from the votes that were cast onto the blank votes, then you inevitably end up with a different candidate seated in Congress.

While I’m not a lawyer, my understanding of Florida election law is that the summary screen, displayed before the voter casts a vote, is what really matters. If the summary screen showed no vote in the race and the voter missed it before casting the ballot, then that’s tough luck for them. If, however, the proper thing was displayed on the summary screen and things went wrong afterward, then there would be a legal basis under Florida law to reverse the election.

Florida’s court system never got far enough to make this call. The judge refused to even allow the plaintiffs access to the machines in order to conduct their own investigation. Consequently, Jennings took her case directly to Congress, which has the power to seat its own members. The last time this particular mechanism was used to overturn an election was in 1985. It’s unclear exactly what standard Congress must use when making a decision like this. Should they use Florida’s standard? Should they impose their own standard? Good question.

Okay, then. On to the GAO’s report. GAO did three tests:

  1. They sampled the machines to make sure the firmware that was inside the machines was the firmware that was supposed to be there. They also “witnessed” the source code being compiled and yielding the same thing as the firmware being used. Nothing surprising was found.
  2. They cast a number of test ballots. Everything worked.
  3. They deliberately miscalibrated some iVotronic systems in a variety of different ways and cast some more test votes. They found the machines were “difficult to use”, but that the summary screens were accurate with respect to the voter’s selections.

What they didn’t do:

  • They didn’t conduct any controlled human subject tests to cast simulated votes. Such a test, while difficult and expensive to perform, would allow us to quantify the extent to which voters are confused by different aspects of the voting system’s user interface.
  • They didn’t examine any of the warehoused machines for evidence of miscalibration. They speculate that grossly miscalibrated machines would have been detected in the field and would have been either recalibrated or taken out of service. They suggest that two such machines were, in fact, taken out of service.
  • They didn’t go through any of ES&S’s internal change logs or trouble tickets. If ES&S knows more, internally, about what may have caused this problem, they’re not saying and GAO was unable to learn more.
  • For the tests that they did conduct, GAO didn’t describe enough about the test setup and execution for us to make a reasonable critique of whether their test setup was done properly.

GAO’s conclusions are actually rather mild. All they’re saying is that they have some confidence that the machines in the field were running the correct software, and that the software doesn’t seem to induce failures. GAO has no opinion on whether poor human factors played a factor, nor do they offer any opinion on what the legal implications of poor human factors would be in terms of who should have won the race. Absent any sort of “smoking gun” (and, yes, 18,000 undervotes apparently didn’t make quite enough smoke on their own), it would seem unlikely that the Committee on House Administration would vote to overturn the election.

Meanwhile, you can expect ES&S and others to use the GAO report as some sort of vindication of the iVotronic, in specific, or of paperless DRE voting systems, in general. Don’t buy it. Even if Sarasota’s extreme undervote rate wasn’t itself sufficient to throw out this specific election result, it still represents compelling evidence that the voting system, as a whole, substantially failed to capture the intent of Sarasota’s voters. Finally, the extreme effort invested by Sarasota County, the State of Florida, and the GAO demonstrates the fundamental problem with the current generation of paperless DRE voting systems: when problems occur, it’s exceptionally difficult to diagnose them. There simply isn’t enough information left behind to determine what really happened during the election.

Other articles on today’s news: CNet News, Bradeton Herald, Sarasota Herald-Tribune, NetworkWorld, Miami Herald (AP wire story), VoteTrustUSA

UPDATE (2/12): Ted Selker (MIT Media Lab) has a press release online that describes human factors experiments with a Flash-based mock-up of the Sarasota CD-13 ballot. They appear to have found undervote rates of comparable magnitude to those obvserved in Sarasota. A press release is very different from a proper technical report, much less a conference or journal publication, so it’s inappropriate to look to this press release as “proof” of any sort of “ballot blindness” effect.

Filed Under: Uncategorized Tagged With:

Google Objects to Microhoo: Pot Calling Kettle Black?

February 6, 2008 by

Last week Microsoft offered to buy Yahoo at a big premium over Yahoo’s current stock price; and Google complained vehemently that Microsoft’s purchase of Yahoo would reduce competition. There’s been tons of commentary about this. Here’s mine.

The first question to ask is why Microsoft made such a high offer for Yahoo. One possibility is that Microsoft thinks the market had drastically undervalued Yahoo, making it a good investment even at a big markup. This seems unlikely.

A more plausible theory is that Microsoft thinks Yahoo is a lot more valuable when combined with Microsoft than it would be on its own. Why might this be? There are two plausible theories.

The synergy theory says that combining Yahoo’s businesses with Microsoft’s businesses creates lots of extra value, that is that the whole is much more profitable than the parts would be separately.

The market structure theory says that Microsoft benefits from Yahoo’s presence in the market (as a counterweight to Google), that Microsoft worried that Yahoo’s market position was starting to slip, so Microsoft acted to prop up Yahoo by giving Yahoo credible access to capital and strong management. In this theory, Microsoft cares less (or not at all) about actually combining the businesses, and wants mostly to keep Google from capturing Yahoo’s market share.

My guess is that both theories have some merit – that Microsoft’s offer is both offensive (seeking synergies) and defensive (maintaining market structure).

Google objected almost immediately that a Microsoft-Yahoo merger would reduce competition to the extent that government should intervene to block the merger or restrict the conduct of the merged entity. The commentary on Google’s complaint has focused on two points. First, at least in some markets, two-way competition between Microhoo and Google might be more vigorous than the current three-way competition between a dominant Google and two rivals. Second, even assuming that the antitrust authorities ultimately reject Google’s argument and allow the merger to proceed, government scrutiny will delay the merger and distract Microsoft and Yahoo, thereby helping Google.

Complaining has downsides for Google too – a government skeptical of acquisitions by dominant high-tech companies could easily boomerang and cause Google its own antitrust headaches down the road.

So why is Google complaining, despite this risk? The most intriguing possibility is that Google is working the refs. Athletes and coaches often complain to the referee about a call, knowing that the ref won’t change the call, but hoping to generate some sympathy that will pay off next time a close call has to be made. Suppose Google complains, and the government rejects its complaint. Next time Google makes an acquisition and the government comes starts asking questions, Google can argue that if the government didn’t do anything about the Microhoo merger, then it should lay off Google too.

It’s fun to toss around these Machiavellian theories, but I doubt Google actually thought all this through before it reacted. Whatever the explanation, now that it has reacted, it’s stuck with the consequences of its reaction – just as Microsoft is stuck, for better or worse, with its offer to buy Yahoo.

Filed Under: Uncategorized Tagged With: ,

Unattended Voting Machines, As Usual

February 5, 2008 by

It’s election day, so tradition dictates that I publish some photos of myself with unattended voting machines.

To recap: It’s well known that paperless electronic voting machines are vulnerable to tampering, if an attacker can get physical access to a machine before the election. Most of the vendors, and a few election officials, claim that this isn’t a problem because the machines are well guarded so that no would-be attacker can get to them. Which would be mildly reassuring – if it were true.

Here’s me with two unattended voting machines, taken on Sunday evening in a Princeton polling place:

Here are four more unattended voting machines, taken on Monday evening in another Princeton polling place.

I stood conspicuously next to this second set of machines for fifteen minutes, and saw nobody.

In both cases I had ample opportunity to tamper with the machines – but of course I did not.

Filed Under: Other Topics, Privacy & Security Tagged With: , ,

Internet Voting

February 4, 2008 by

(or, how I learned to stop worrying and love having the whole world know exactly how I voted)

Tomorrow is “Super Tuesday” in the United States. Roughly half of the delegates to the Democratic and Republican conventions will be decided tomorrow, and the votes will be cast either in a polling place or through the mail. Except for the votes cast online. Yes, over the Internet.

The Libertarian Party of Arizona is conducting its entire primary election online. Arizona’s Libertarian voters who wish to participate in its primary election have no choice but to vote online. Also, the Democratic Party is experimenting with online voting for overseas voters.

Abridged history: The U.S. military has been pushing hard on getting something like this in place, most famously commissioning a system called “SERVE”. To their credit, they hired several smart security people to evaluate their security. Four of those experts published an independent report that was strongly critical of the system, notably pointing out the obvious problem with such a scheme: home computers are notoriously insecure. It’s easy to imagine viruses and whatnot being engineered to specifically watch for attempts to use the computer to vote and to specifically tamper with those votes, transparently shifting votes in the election. The military killed the program, later replacing it with a vote-by-fax scheme. It’s unclear whether this represents a security improvement, but it probably makes it easier to deal with the diversity of ballot styles.

Internet voting has also been used in a variety of other places, including Estonia. An Estonian colleague of mine demonstrated the system for me. He inserted his national ID card (a smartcard) into a PCMCIA card reader in his laptop. This allowed him to authenticate to an official government web site where he could then cast his vote. He was perfectly comfortable letting me watch the whole process because he said that he could go back and cast his vote again later, in private, overriding the vote that I saw him cast. This scheme partly addresses the risk of voter coercion and bribery (see sidebar), but it doesn’t do anything for the insecurity of the client platform.

Okay, then, how does the Arizona Libertarian party do it? You can visit their web site and click here to vote. I went as far as a web page, hosted by fairvotelections.com, which asked me for my name, birth year, house address number (i.e., for “600 Main Street”, I would enter “600”), and zip code. Both this web page and the page to which it “posts” its response are “http” pages. No cryptography is used, but then the information you’re sending isn’t terribly secret, either. Do they support Estonian-style vote overriding? Unclear. None of the links or information say a single word about security. The lack of SSL is strongly indicative of a lack of sophistication (although they did set a tracking cookie to an opaque value of some sort).

How about Democrats Abroad? If you go to their web site, you end up at VoteFromAbroad.org, which gives you two choices. You can download a PDF of the ballot, print it and mail or fax it in. Or, you can vote online via the Internet, which helpfully tells you:

Is it safe to vote by Internet? Secure Internet voting is powered by Everyone Counts, a leading expert in high-integrity online elections. We are using the same system the Michigan Democratic Party has used since 2004. Alternatively, you will have the option to vote by post, fax or in-person at Voting Centers in 34 countries around the world.

The registration system, unlike the Arizona one, at least operates over SSL. Regardless, it would seem to have all the same problems. In a public radio interview with Weekend America, Meredith Gowan LeGoff, vice chairman of Democrats Abroad, responded to a question about security issues:

Where I grew up, the dead still vote in Louisiana. There are lots of things that could potentially go wrong in any election. This might be a big challenge to a hacker somewhere. We’re hoping a hacker might care more about democracy than hacking. But we’re not depending on that. We have a lot of processes, and we’ve also chosen an outside vendor, Everyone Counts, to run the online voting.

The best we can do is the same as New Hampshire or Michigan or anywhere else, and that’s to have the members of our list and correspond that to who actually voted. Another important thing to remember is that our ballots are actually public. So you have to give your name and your address, so it’s not secret and it’s not anonymous. It’s probably easier to catch than someone in Mississippi going across to Alabama and trying to vote again.

Ahh, now there’s an interesting choice of security mechanisms. Every vote is public! For starters, this would be completely unacceptable in a general election. It’s debatable what value it has in a party election. Review time: there are two broadly different ways that U.S. political parties select their candidates, and it tends to vary from state to state. Caucuses, most famously used in Iowa, are a very public affair. In the Iowa Democratic caucuses, people stand up, speak their mind, and literally vote with their feet by where they sit or stand in the room. The Iowa Republicans, for contrast, cast their votes secretly. (Wikipedia has all the details.) Primary elections may or may not be anonymous, depending on the state. Regardless, for elections in areas dominated by a single political party, the primary election might as well be the final election, so it’s not hard to argue in favor of anonymous voting in primaries.

On the flip side, maybe we shouldn’t care about voter anonymity. Publish everybody’s name and how they voted in the newspaper. Needless to say, that would certainly simplify the security problem. Whether it would be good for democracy or not, however, is a completely different question.

[Sidebar: bribery and coercion. You don’t have to be a scholar of election history or a crazy conspiracy nut to believe that bribery and coercion are real and pressing issues in elections. Let’s examine the Estonian scheme, described above, for its resistance to bribery to coercion. The fundamental security mechanism used for voter privacy is the ability to vote anew, overriding an earlier vote. Thus, in order to successfully coerce a vote, the coercer must defeat the voter’s ability to vote again. Given that voting requires voters to have their national ID cards, the simplest answer would be to “help” voters vote “correctly”, then collect their ID cards, returning them after the election is over. You could minimize the voter’s inconvenience by doing this on the last possible day to cast a vote.

It’s important to point out that voting in a polling place may still be subject to bribery or coercion. For example, camera-phones with a video mode can record the act of casting a vote on an electronic voting system. Traditional secret-ballot paper systems are vulnerable to a chain-voting attack, where the voter is given a completed ballot before they enter the polls and returns with a fresh, unvoted ballot. Even sophisticated end-to-end voting schemes like ThreeBallot or Punchscan may be subject to equally sophisticated attacks (see these slides from John Kelsey).]

Filed Under: Other Topics, Privacy & Security Tagged With: ,

MySpace Photos Leaked; Payback for Not Fixing Flaw?

January 28, 2008 by

Last week an anonymous person published a file containing half a million images, many of which had been gathered from private profiles on MySpace. This may be the most serious privacy breach yet at MySpace. Kevin Poulsen’s story at Wired News implies that the leak may have been deliberate payback for MySpace failing to fix the vulnerability that allowed the leaks.

“I think the greatest motivator was simply to prove that it could be done,” file creator “DMaul” says in an e-mail interview. “I made it public that I was saving these images. However, I am certain there are mischievous individuals using these hacks for nefarious purposes.”

The MySpace hole surfaced last fall, and it was quickly seized upon by the self-described pedophiles and ordinary voyeurs who used it, among other things, to target 14- and 15-year-old users who’d caught their eye online. A YouTube video showed how to use the bug to retrieve private profile photos. The bug also spawned a number of ad-supported sites that made it easy to retrieve photos. One such site reported more than 77,000 queries before MySpace closed the hole last Friday following Wired News’ report.

MySpace plugged a a href=”http://grownupgeek.blogspot.com/2006/08/myspace-closes-giant-security-hole.html”>similar security hole in August 2006 when it made the front page of Digg, four months after it surfaced.

The implication here, not quite stated, is that DMaul was trying to draw attention to the flaw in order to force MySpace to fix it. If this is what it took to get MySpace to fix the flaw, this story reflects very badly on MySpace.

Anyone who has discovered security flaws in commercial products knows that companies react to flaws in two distinct ways. Smart companies react constructively: they’re not happy about the flaws or the subsequent PR fallout, but they acknowledge the truth and work in their customers’ interest to fix problems promptly. Other companies deny problems and delay addressing them, treating security flaws solely as PR problems rather than real risks.

Smart companies have learned that a constructive response minimizes the long-run PR damage and, not coincidentally, protects customers. But some companies seem to lock themselves into the deny-delay strategy.

Now suppose you know that a company’s product has a flaw that is endangering its customers, and the company is denying and delaying. There is something you can do that will force them to fix the problem – you can arrange an attention-grabbing demonstration that will show customers (and the press) that the risk is real. All you have to do is exploit the flaw yourself, get a bunch of private data, and release it. Which is pretty much what DMaul did.

To be clear, I’m not endorsing this course of action. I’m just pointing out why someone might find it attractive despite the obvious ethical objections.

The really interesting aspect of Poulsen’s article is that he doesn’t quite connect the dots and say that DMaul meant to punish MySpace. But Poulsen is savvy enough that he probably wouldn’t have missed the implication either, and he could have written the article to avoid it had he wanted to. Maybe I’m reading too much into the article, but I can’t help suspecting that DMaul was trying to punish MySpace for its lax security.

Filed Under: Uncategorized Tagged With: , ,