E-voting vendors often argue that their systems must be secure, because they have been tested by “independent” labs. Elise Ackerman’s story in Sunday’s San Jose Mercury-News explains the depressing truth about how the testing process works.

There are only three labs, and they are overseen by a private body that is supported financially by the vendors. There is no government oversight. The labs have refused to release test results to state election officials, saying the results are proprietary and will be given only to the vendor whose product was tested:

Dan Reeder, a spokesman for Wyle, which functioned as the nation’s sole testing lab from 1994 to 1997, said the company’s policy is to provide information to the manufacturers who are its customers.

It’s worth noting, too, that the labs do not test the security of the e-voting systems; they only test the systems’ compliance with standards.

SysTest Labs President Brian Phillips said the security risks identified by the outside scientists were not covered by standards published by the Federal Election Commission. “So long as a system does not violate the requirements of the standards, it is OK,” Phillips said.

A few states do their own testing, or hire their own independent labs. It seems to me that state election officials should be able to get together and establish a truly independent testing procedure that has some teeth.

In Miami-Dade County, Florida, an internal county memo has come to light, documenting misrecording of votes by ES&S e-voting machines in a May 2003 election, according to a Matthew Haggman story in the Miami Daily Business Review.

The memo, written by Orlando Suarez, head of the county’s Enterprise Technology Services Department, describes Mr. Suarez’s examination of the electronic record of the May 2003 election in one precinct. The ES&S machines in question provide two reports at the end of an election. One report, the “vote image report”, gives the vote tabulation (i.e., number of votes cast for each candidate) for each voting machine, and the other gives an audit log of significant events, such as initialization of the machine and the casting of a vote (but not who the vote was cast for), for each machine.

Mr. Suarez’s examination found that the two records were inconsistent with each other, and that both were inconsistent with reality.

In his memo, Suarez analyzed a precinct where just nine electronic voting machines were used. He first examined the audit logs for all nine machines, which was compiled onto one combined audit log. He found that the audit log made no mention of two of the machines used in the precinct.

In addition, he found that the audit log reported the serial number of a machine that was not used in that precinct. The phantom machine that appeared on the audit showed a count of ballots cast that equaled the count of the two missing machines.

Then he looked at the vote image report that was an aggregate of all nine voting machines. He discovered that three of the machines were not reported in the vote image report. But a serial number for a machine not used in the precinct appeared on the vote image report. That phantom machine showed a vote count equal to the vote count on the two missing machines. The other missing machine showed no activity.

Further examination revealed 38 votes that appeared in the vote image report but not in the audit log.

There is some evidence that the software used in this election was uncertified.

County officials don’t see much of a problem here:

Nevertheless, [county elections supervisor Constance] Kaplan insisted that Suarez’s analysis did not demonstrate any basic problems with the accuracy of the vote counts produced by the county’s iVotronic system. “The Suarez memo has nothing to do with the tabulation process,” she said. “It is very annoying that the coalition keeps equating the tabulation function with the audit function.”

Maybe I’m being overly picky here, but isn’t the vote tabulation supposed to match the audit trail? And isn’t the vote tabulation report supposed to match reality?

Very annoying, indeed.

Looks like I missed the significance of this story last week (by Kim Zetter at Wired News). California Secretary of State Kevin Shelley decertified all touch-screen voting machines, not just the Diebold systems whose decertification had been recommended by the state’s voting-systems panel.

Some counties may be able to get their machines recertified if they can meet a set of security requirements: the machines must be certified by the Federal government, provide a voter-verified paper trail, have a security plan that meets certain criteria, have source code disclosed to the Secretary of State and his designees (subject to reasonable confidentiality provisions), have a documented development process, no be modified at the last minute, have no network connections (including Internet, wireless, or phone connections), and a few other requirements.

Shelley condemned Diebold’s actions in California, calling them “despicable” and “deceitful tactics”. He referred evidence of possible fraud by Diebold to the state Attorney General’s office.

In a related story, Ireland recently decided not to use e-voting in their next election, due to security concerns.

The State of California’s Voting Systems Panel has voted to recommend the decertification of Diebold’s TSx e-voting system, according to a release from verifiedvoting.org. The final decision will be made by Secretary of State Kevin Shelley, but he is expected to approve the recommendation within the next week.

The TSx is only one of the Diebold e-voting systems used in California, but this is still an important step.

Diebold Election Systems knowingly used uncertified software in California elections, despite warnings from its lawyers that doing so was illegal and might subject the company to criminal sanctions and decertification in California, according to Ian Hoffman’s story in the Oakland Tribune.

The story says that Diebold made false representations about certification to state officials:

The drafts [of letters to the state] show [Diebold’s lawyers] staked out a firm position that a critical piece of Diebold’s voting system – its voter-card encoders – didn’t need national or state approval because they were commercial-off-the-shelf products, never modified by Diebold.

But on the same day the letter was received, Diebold-hired techs were loading non-commercial Diebold software into voter-card encoders in a West Sacramento warehouse for shipment to Alameda and San Diego counties.

Many of these encoders failed on election day, causing voters to be turned away from the polls in San Diego and Alameda Counties.

This brings Diebold one step closer to being decertified in California:

“Diebold may suffer from gross incompetence, gross negligence. I don’t know whether there’s any malevolence involved,” said a senior California elections official who spoke on condition of anonymity. “I don’t know why they’ve acted the way they’ve acted and the way they’re continuing to act. Notwithstanding their rhetoric, they have not learned any lessons in terms of dealing with this secretary (of state).”

California voting officials will discuss Diebold’s behavior at a two-day hearing that starts today.

[link via Dan Gillmor]