Voters casting early ballots in New Mexico report that the state’s touchscreen voting machines sometimes record a vote for the wrong candidate, according to a Jim Ludwick story in the Albuquerque Journal. (Link via DocBug)

[Kim Griffith] went to Valle Del Norte Community Center in Albuquerque, planning to vote for John Kerry. “I pushed his name, but a green check mark appeared before President Bush’s name,” she said.

Griffith erased the vote by touching the check mark at Bush’s name. That’s how a voter can alter a touch-screen ballot.

She again tried to vote for Kerry, but the screen again said she had voted for Bush. The third time, the screen agreed that her vote should go to Kerry.

She faced the same problem repeatedly as she filled out the rest of the ballot. On one item, “I had to vote five or six times,” she said.

Michael Cadigan, president of the Albuquerque City Council, had a similar experience when he voted at City Hall.

“I cast my vote for president. I voted for Kerry and a check mark for Bush appeared,” he said.

He reported the problem immediately and was shown how to alter the ballot.

Cadigan said he doesn’t think he made a mistake the first time. “I was extremely careful to accurately touch the button for my choice for president,” but the check mark appeared by the wrong name, he said.

…

In Sandoval County, three Rio Rancho residents said they had a similar problem, with opposite results. They said a touch-screen machine switched their presidential votes from Bush to Kerry.

County officials blame the voters, saying that they must have inadvertently touched the screen elsewhere.

My guess is that the touchscreens are miscalibrated. Touchscreens use one mechanism to paint images onto the screen, and a separate mechanism to measure where the screen has been touched. Usually the touch sensor has to be calibrated to make sure that the coordinate system used by the touch sensor matches up with the coordinate system used by the screen-painting mechanism. If the sensor isn’t properly calibrated, touches made on one part of the image will be registered elsewhere. For example, touches might be registered an inch or two below the place they really occur.

(Some PDAs, such as Palm systems, calibrate their touchscreens when they boot, by presenting the user with a series of crosshairs and asking the user to touch the center of each one. If you’re a Palm user, you have probably seen this.)

Touchscreens are especially prone to calibration problems when they have gone unused for a long time, as will tend to happen with voting machines.

My guess is that few poll workers know how to recognize this problem, and fewer still know how to fix it if it happens. One solution is to educate poll workers better. Another solution is to avoid using technologies that are prone to geeky errors like touchscreen miscalibration.

This is yet another reminder to proofread your vote before it is cast.

UPDATE (3:15 PM): Joe Hall points to an argument by Doug Jones that problems of this sort represent another type of touchscreen calibration problem. If the voter rests a palm or a thumb on the edge of the touchscreen surface, this can (temporarily) mess up the screen’s calibration. That seems like another plausible explanation of the New Mexico voters’ complaints. Either way, touchscreens may misread the voter’s intention. Again: don’t forget to double-check that the technology (no matter what it is ) seems to be registering your vote correctly.

The November 2nd election hasn’t even happened yet, and already the e-voting industry is making excuses for the election-day failures of their technology. That’s right – they’re rebutting future reports of future failures. Here’s a sample:

Problem

Voting machines will not turn on or operate.

Explanation

Voting machines are not connected to an active power source. Machines may have been connected to a power strip that has been turned off or plugged into an outlet controlled by a wall switch. Power surges or outages caused by electrical storms or other natural occurrences are not unheard of. If the power source to the machine has been lost, voting machines will generally operate on battery power for brief periods. Once battery power is lost, however, the machines will cease to function (although votes cast on such machines will not be lost). Electronic voting machines may require the election official or precinct worker to enter a password in order to operate. Lost or forgotten passwords may produce lengthy delays as this information is retrieved from other sources.

In the past, of course, voting machines have failed to operate for other reasons, as in the 2002 California gubernatorial recall election, when Diebold machines, which turned out to be uncertified, failed to boot properly at many polling places in San Diego and Alameda counties. (Verified-voting.org offers a litany of these and other observed e-voting failures.)

The quote above comes from a document released by the Election Technology Council, a trade group of e-voting vendors. (The original, tellingly released only in the not-entirely-secure Word format, is here.)

The tone of the ETC document is clear – our technology is great, but voters and poll workers aren’t smart enough to use it correctly. Never mind that the technology is deeply flawed (see, e.g., my discussion of Diebold’s insecure protocols, not to mention all of the independent studies of the technology). Never mind that the vendors are the ones who design the training regimes whose inadequacy they blame. Never mind that it is their responsibility to make their products usable.

[Link credit: Slashdot]

Yesterday I wrote about a terribly weak security protocol in the Diebold AccuVote-TS system (at least as it existed in 2002), as reported in a talk by Dan Wallach. That wasn’t the only broken Diebold protocol Dan discussed. Here’s another one which may be even scarier.

The Diebold system allows a polling place administrator to use a smartcard to control a voting machine, performing operations such as closing the polls for the day. The administrator gets a special administrator smartcard (a credit-card-sized computing device) and puts it into the voting machine. The machine uses a special protocol to validate the card, and then accepts commands from the administrator.

This is a decent plan, but Diebold botched the design of the protocol. Here’s the protocol they use:

terminal to card: “What kind of card are you?”
card to terminal: “Administrator”
terminal to card: “What’s the password?”
card to terminal: [Value1]
terminal to user: “What’s the password?”
user to terminal: [Value2]

If Value1=Value2, then the terminal allows the user to execute administrative commands.

Like yesterday’s protocol, this one fails because malicious users can make their own smartcard. (Smartcard kits cost less than $50.) Suppose Zeke is a malicious voter. He makes a smartcard that answers “Administrator” to the first question and (say) “1234” to the second question. He shows up to vote, signs in, goes into the voting booth, and inserts his malicious smartcard. The malicious smartcard tells the machine that the secret password is 1234; when the machine asks Zeke himself for the secret password, he enters 1234. The machine will then execute any administrative command Zeke wants to give it.
For example, he can tell the machine that the election is over.

This system was apparently used in the Georgia 2002 election. Has Diebold fixed this problem, or the one I described yesterday? We don’t know.

UPDATE (1:30 PM): Just to be clear, telling a machine that the election is over is harmful because it puts the machine in a mode where it won’t accept any votes. Getting the machine back into vote-accepting mode, without zeroing the vote counts, will likely require a visit from a technician, which could keep the voting machine offline for a significant period. (If there are other machines at the same precinct, they could be targeted too.) This attack could affect an election result if it is targeted at a precinct or a time of day in which votes are expected to favor a particular candidate.

Dan Wallach from Rice University was here on Monday and gave a talk on e-voting. One of the examples in his talk was interesting enough that I thought I would share it with you, both as an introductory example of how security analysts think, and as an illustration of how badly Diebold botched the design of their voting system.

One of the problems in voting system design is making sure that each voter who signs in is allowed to vote only once. In the Diebold AccuVote-TS system, this is done using smartcards. (Smartcards are the size and shape of credit cards, but they have tiny computers inside.) After signing in, a voter would be given a smartcard – the “voter card” – that had been activated by a poll worker. The voter would slide the voter card into a voting machine. The voting machine would let the voter cast one vote, and would then cause the voter card to deactivate itself so that the voter couldn’t vote again. The voter would return the deactivated voter card after leaving the voting booth.

This sounds like a decent plan, but Diebold botched the design of the protocol that the voting terminal used to talk to the voter card. The protocol involved a series of six messages, as follows:

terminal to card: “My password is [8 byte value]”
card to terminal: “Okay”
terminal to card: “Are you a valid card?”
card to terminal: “Yes.”
terminal to card: “Please deactivate yourself.”
card to terminal: “Okay.”

Can you spot the problem here? (Hint: anybody can make their own smartcard that sends whatever messages they like.)

As most of you probably noticed – and Diebold’s engineers apparently did not – the smartcard doesn’t actually do anything surprising in this protocol. Anybody can make a smartcard that sends the three messages “Okay; Yes; Okay” and use it to cast an extra vote. (Do-it-yourself smartcard kits cost less than $50.)

Indeed, anybody can make a smartcard that sends the three-message sequence “Okay; Yes; Okay” over and over, and can thereby vote as many times as desired, at least until a poll worker asks why the voter is spending so long in the booth.

One problem with the Diebold protocol is that rather than asking the card to prove that it is valid, the terminal simply asks the card whether it is valid, and accepts whatever answer the card gives. If a man calls you on the phone and says he is me, you can’t just ask him “Are you really Ed Felten?” and accept the answer at face value. But that’s the equivalent of what Diebold is doing here.

This system was apparently used in a real election in Georgia in 2002. Yikes.

Absentee ballots are a common vector for election fraud, and several U.S. states have inadquate safeguards in their handling, according to a Michael story in today’s New York Times. The story recounts many examples of absentee ballot fraud, including blatant vote-buying.

For in-person voting, polling-place procedures help to authenticate voters and to ensure that votes are cast secretly and are not lost in transit. Absentee voting has weaker safeguards all around. In some states, party workers are even allowed to “help” voters fill out their ballots and to transport completed ballots to election officials. (The latter is problematic because certain ballots might be “lost” in transit.)

Traditional voting security relies on having many eyes in the polling place, watching what happens. Of course, the observers don’t see how each voter votes, but they do see that the vote is cast secretly and by the correct voter. Moving our voting procedures behind closed doors, as with absentee ballots, or inside a technological black box, as with paperless e-voting, undermines these protections.

Without safeguards, absentee ballots are too risky. Even with proper safeguards, they are at best a necessary compromise for voters who genuinely can’t make it to the polls.