December 23, 2024

Election 2008: What Might Go Wrong

Tomorrow, as everyone knows, is Election Day in the U.S. With all the controversy over electronic voting, and the anticipated high turnout, what can we expect to see? What problems might be looming? Here are my predictions.

Long lines to vote: Polling places will be strained by the number of voters. In some places the wait will be long – especially where voting requires the use of machines. Many voters will be willing and able to wait, but some will have to leave without casting votes. Polls will be kept open late, and results will be reported later than expected, because of long lines.

Registration problems: Quite a few voters will arrive at the polling place to find that they are not on the voter rolls, because of official error, or problems with voter registration databases, or simply because the voter went to the wrong polling place. New voters will be especially likely to have such problems. Voters who think they should be on the rolls in a polling place can file provisional ballots there. Afterward, officials must judge whether each provisional voter was in fact eligible, a time-consuming process which, given the relative flood of provisional ballots, will strain official resources.

Voting machine problems: Electronic voting machines will fail somewhere. This is virtually inevitable, given the sheer number of machines and polling places, the variety of voting machines, and the often poor reliability and security engineering of the machines. If we’re lucky, the problems can be addressed using a paper trail or other records. If not, we’ll have a mess on our hands.

How serious the mess might be depends on how close the election is. If the margin of victory is large, as some polls suggest it may be, then it will be easy to write off problems as “minor” and move on to the next stage in our collective political life. If the election is close, we could see a big fight. The worse case is an ultra-close election like in 2000, with long lines, provisional ballots, or voting machine failures putting the outcome in doubt.

Regardless of what happens on Election Day, the next day — Wednesday, November 5 — will be a good time to get started on improving the next election. We have made some progress since 2004 and 2006. If we keep working, our future elections can be better and safer than this one.

Vote flipping on the Hart InterCivic eSlate

There have been numerous press reports about “vote flipping.” I did an analysis of the eSlate, my local voting machine, including mocked up screen shots, to attempt to explain the issue.

Independent Voters Disenfranchised in Louisiana

Louisiana held a Congressional primary election on October 4th, 2008. In the 4th-Congressional-district Democratic Primary, there were four candidates; the two candidates with the most votes advanced to the runoff. The margin between the second (advancing) candidate and the third (nonadvancing) candidate was 1,484 votes. But, as I will explain, at least 2,167 voters, and probably more than 5,000 voters, were wrongly prevented from voting in the Democratic primary. This disenfranchisement appears to result from incorrect or unclear instructions given by the Secretary of State to the pollworkers at all the individual precincts.

In Louisiana the Republican Party held a closed primary; that is, only those voters registered as Republicans could vote. The Democratic Party held an open primary; that is, the party allowed Democratic and Independent voters to vote in the Democratic congressional primary. Members of the Green Party, Reform Party, and Libertarian Party were not permitted to vote in the Democratic Primary. However, there were some races on the ballot other than the Congressional Primary election: for example, any voter in Shreveport could vote in the election for City Marshal.

On election day there were reports that when Independent voters pressed the button on the voting machine for a candidate in the Democratic congressional primary, nothing happened. In effect, these voters said that they were prevented from voting in the Democratic Congressional primary. This did not conform to the election law, because it did not respect the Democratic Party’s choice to hold an open primary.

Caddo Parish, in the 4th Congressional district, uses Sequoia AVC Advantage version 9.00H direct-recording electronic voting machines. I am very familiar with this model of voting computer, since I performed an in-depth study of these machines in New Jersey. The way these AVC Advantage voting computers work in a Louisiana primary election is this: Each voter, when he or she signs in to vote, is handed a ticket. The ticket indicates which primary election the voter is entitled to participate in. When the voter hands this ticket to the Commissioner (pollworker) who stands by the voting machine, the Commissioner presses an “option switch” button that selects which contests on the ballot that voter is permitted to vote in. The “option switch” button is sometimes called a “lockout” button, because it “locks out” some contests from the voter. For example, if the voter hands in a ticket marked REPUBLICAN, the Commissioner presses a REPUB lockout button. Then the Democratic primary ballot is “locked out” (so those buttons have no effect), and the Republican primary ballot is active. Or, if a registered Democrat approaches the polls, he or she gets a ticket marked DEMOCRAT: the operator pushes the DEM lockout button. This locks out the Republican primary ballot, and activates the Democratic primary ballot. Finally, a registered voter in the Green Party, Reform Party, or Libertarian party gets a ticket marked “No Party.” The Commissioner then presses the option switch marked “Others.” This locks out both primary ballots, so this voter can vote only in contests such as City Marshal.

With this combination of technological setup plus election law, it is clear that the pollworkers at the sign-in desk should hand Independent voters a ticket marked “DEMOCRAT.” Only this way can they vote in the Democratic primary. It won’t do to hand them a ticket marked “No Party” and then have the Commissioner press the “DEMOCRAT” button, because this solution won’t properly handle the Green, Reform, and Libertarian voters. So the question is, “Did the Secretary of State effectively instruct and train the Commissioners so that Independent voters were permitted to vote in the Democratic Primary?” He did not, as I will show.

When the polls are closed, the AVC Advantage prints out a paper tape (like a cash register tape) listing how many votes each candidate got. But in addition the computer prints out a list of “Option Switch Totals”, indicating how many voters were permitted to vote in each of the primary elections on the ballot. That is, the “Option Switch Totals” show how many times the Commissioner pressed each one of the the “DEM”, “REPUB”, and “Others” buttons.

On October 15th, 2008 I visited Caddo Parish’s voting-machine warehouse in Shreveport. I examined all the paper-tape “results report” printouts from the approximately 400 voting machines used in the entire Parish (a parish in Louisiana corresponds to a county in other states). I added up how many voters voted with the “Other” option-switch setting. All of these voters were “locked out” of both the Democratic and Republican Congressional primaries.

In all, 2,167 voters in Caddo Parish voted with the Other option switch. These voters were not able to record a vote in either the Democratic or Republican party primary, that is, they were “locked out” of voting in the Democratic Congressional Primary. The vast majority of these 2,167 locked-out voters are Independents, because Party registration for the Green Party, the Libertarian Party, and Reform Party is negligible. For example, the Green Party has only 1,064 registered voters in the entire State of Louisiana (7 Congressional districts). In contrast, there are about 80,000 Independent voters in the 4th Congressional district alone. Thus, almost all of the 2,167 voters in Caddo Parish who were locked out were almost certainly Independents.

Some independent voters approached the polls and were told that independent voters were not permitted to vote in the Democratic Congressional Primary. Some of these voters left the polling place without signing in to vote. These voters were disenfranchised as well, in addition to the 2,167 that we can count in the option-switch numbers.

Caddo Parish contains about 40% of the voters of the entire 4th Congressional district. If the same proportion of Independent voters were locked out of the Democratic primary in the other parts of the district, that means that more than 5,000 Independent voters were illegally disenfranchised from voting in the Democratic primary. Since the margin between winning and losing candidates was 1,484, that means the number of disenfranchised voters was larger than the margin of victory. Those voters could have changed the outcome of the election, if they had been lawfully permitted to vote.

Louisiana holds its runoff primary election (for both parties) on November 4th. Once again, the Democratic Party is holding an open primary, and the Republican Party is holding a closed primary. I urge the Secretary of State of Louisiana to give clear instructions to Commissioners of precincts, as follows:

“Independent voters are to be given a ticket marked DEMOCRAT. Democratic voters are to be given a ticket marked DEMOCRAT. Republican voters are to be given a ticket marked REPUBLICAN. Green Party, Reform Party, and Libertarian Party voters are to be given a ticket marked NO PARTY.”

Report on the Sequioa AVC Advantage

Today I am releasing an in-depth study of the Sequoia AVC Advantage direct-recording electronic (DRE) voting machine, available at citp.princeton.edu/voting/advantage. I led a team of six computer scientists in a monthlong examination of the source code and hardware of these voting computers, which are used in New Jersey, Pennsylvania, and other states.

The Rutgers Law School Constitutional Litigation Clinic filed a lawsuit seeking to decommission of all of New Jersey’s voting computers, and asked me to serve as an expert witness. This year the Court ordered the State of New Jersey and Sequoia Voting Systems to provide voting machines and their source code for me to examine. By Court Order, I can release the report no sooner than October 17th, 2008.

Accompanying the report is a video and a FAQ.

Executive Summary

I. The AVC Advantage 9.00 is easily “hacked” by the installation of fraudulent firmware. This is done by prying just one ROM chip from its socket and pushing a new one in, or by replacement of the Z80 processor chip. We have demonstrated that this “hack” takes just 7 minutes to perform.

The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do. The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.

II. Without even touching a single AVC Advantage, an attacker can install fraudulent firmware into many AVC Advantage machines by viral propagation through audio-ballot cartridges. The virus can steal the votes of blind voters, can cause AVC Advantages in targeted precincts to fail to operate; or can cause WinEDS software to tally votes inaccurately. (WinEDS is the program, sold by Sequoia, that each County’s Board of Elections uses to add up votes from all the different precincts.)

III. Design flaws in the user interface of the AVC Advantage disenfranchise voters, or violate voter privacy, by causing votes not to be counted, and by allowing pollworkers to commit fraud.

IV. AVC Advantage Results Cartridges can be easily manipulated to change votes, after the polls are closed but before results from different precincts are cumulated together.

V. Sequoia’s sloppy software practices can lead to error and insecurity. Wyle’s Independent Testing Authority (ITA) reports are not rigorous, and are inadequate to detect security vulnerabilities. Programming errors that slip through these processes can miscount votes and permit fraud.

VI. Anomalies noticed by County Clerks in the New Jersey 2008 Presidential Primary were caused by two different programming errors on the part of Sequoia, and had the effect of disenfranchising voters.

VII. The AVC Advantage has been produced in many versions. The fact that one version may have been examined for certification does not give grounds for confidence in the security and accuracy of a different version. New Jersey should not use any version of the AVC Advantage that it has not actually examined with the assistance of skilled computer-security experts.

VIII. The AVC Advantage is too insecure to use in New Jersey. New Jersey should immediately implement the 2005 law passed by the Legislature, requiring an individual voter-verified record of each vote cast, by adopting precinct-count optical-scan voting equipment.

Counting Electronic Votes in Secret

Things are not looking good for open government when it comes to observing poll workers on Election Night. Our state election laws, written for the old lever machines, now apply to Sequoia electronic voting machines. Andrew Appel and I have been asking a straightforward question: Can ordinary members of the public watch the procedures used by poll workers to count the votes?

I submitted a formal request to the Board of Elections of Mercer County (where Princeton University is located), seeking permission to watch the poll workers when they close the polls (on Sequoia AVC Advantage voting computers) and announce the results. They said no!

The Election Board said this election is “too important” to permit extra people in the polling place.

They even went so far as to suggest that my written application was fraudulent. I applied on behalf of five people: two Princeton University students, two professors, and myself. In an abundance of caution, I requested authorization in the form of “challenger badges” which the Board of Elections can issue at its discretion. By phone, I explained our interest in merely watching the poll workers.

Of course we understand that they might not want extra people getting in the way on Election Night — that’s why we took measures to get special authorization. To ensure that we could be lawfully present, we asked for challenger badges as non-partisan proponents and opponents of two Public Questions on the ballot, as permitted by NJSA 19:7-2. My request was entirely in compliance with state law, as all the prospective challengers are registered to vote in Mercer County.

In spite of this, the Board expressed reluctance, based on the identities of the prospective challengers. In particular, they cited Andrew’s status as an expert on Sequoia voting machines as a “concern,” and provided assurances that Sequoia has fixed all the problems he identified in past elections.

Other counties in New Jersey permit members of the public to watch the poll workers “read” the election results. Combined with Judge Feinberg’s decision to suppress Andrew’s report on the security of the Sequoia machines, Mercer County conveys the unfortunate impression it does not welcome scrutiny of its electronic voting process.