A group of Californians has filed a lawsuit in state court against voting machine vendor Diebold, in advance of the March 2 primary election.

The complaint asks the court to order Diebold to do three main things: (1) to refrain from further violations of state election laws and regulations, such as installing uncertified software for use in elections, (2) to implement the stopgap security measures recommended by the Raba report, in time for the March 2 primary election, and (3) to implement the longterm security measures recommended by the Raba report or else to withdraw the Diebold systems from use.

One of the challenges of blogging is finding things to write about. If you want to keep a loyal audience, you have to write regularly; and sometimes it’s hard to come up with several topics a week. Happily, whenever the well is about to run dry, I can always count on Diebold to fail a test or do something ridiculous. Thanks, guys!

The Diebold travesty du jour comes from Elise Ackerman’s story in today’s San Jose Mercury-News. The story recounts Diebold’s response, in California, to the recent Raba report, which demonstrated that Diebold e-voting systems were prone to several serious security attacks.

The story quotes Diebold’s spokesman:

Diebold representative David Bear said Thursday that the integrity of next month’s election was not at risk. “I think it’s important to reflect that the Maryland Department of Legislative Services concluded based on the Raba report that the election could be held successfully without any changes to the Diebold software,” he said. “They went on to say the software accurately counts votes cast.”

Here’s the opinion of authors of the Raba report, according to the New York Times:

Authors of the [Raba] report

A group of ex-NSA security experts, hired by the state of Maryland to evaluate the state’s Diebold electronic voting systems, found the systems riddled with basic security flaws. This confirmed two previous studies, one led by Johns Hopkins researchers and one by SAIC. Here are some excerpts from John Schwartz’s New York Times story:

Electronic voting machines made by Diebold Inc. that are widely used in several states have such poor computer security and physical security that an election could be disrupted or even stolen by corrupt insiders or determined outsiders, according to a new report presented today to Maryland state legislators.

…

The authors of the report said that they had expected a higher degree of security in the design of the machines. “We were genuinely surprised at the basic level of the exploits” that allowed tampering, said Mr. Wertheimer, a former security expert for the National Security Agency.

William A. Arbaugh, an assistant professor of computer science at the University of Maryland and a member of the Red Team exercise, said, “I can say with confidence that nobody looked at the system with an eye to security who understands security.”

Read the second (on-line) page of the NYT story for a litany of problems the team found. In short, they could easily corrupt individual voting machines so that they counted votes for the wrong candidate or not at all; they could introduce false vote counts for whole precincts into the central vote-tallying server; or they could use well-known hostile exploits to seize control of the servers remotely.

Diebold’s response?

In a statement released today, Bob Urosevich, president of Diebold Election Systems, said this report and another by the Science Applications International Corporation “confirm the accuracy and security of Maryland’s voting procedures and our voting systems as they exist today.”

Mr. Urosevich added: “With that said, in our continued spirit of innovation and industry leadership, there will always be room for improvement and refinement. This is especially true in assuring the utmost security in elections.”

University of Maryland professor Bill Arbaugh, one of the study participants and a genuine security expert, gets the last word: “It seemed everywhere we scratched, there was something that’s pretty troubling.”

Four respected computer scientists, members of a government-commissioned study panel, have published a report critical of SERVE, a proposed system to let overseas military people vote in elections via a website. (Links: the report itself; John Schwartz story at N.Y. Times; Dan Keating story at Washington Post.) The report’s authors are David Jefferson, Avi Rubin, Barbara Simons, and David Wagner. The problem is not in the design of the voting technology itself, but in the simple fact that it is built on ordinary PCs and the Internet, leaving it open to all of the standard security attacks that ordinary systems face:

The real barrier to success is not a lack of vision, skill, resources, or dedication; it is the fact that, given the current Internet and PC security technology, and the goal of a secure, all-electronic remote voting system, the [program] has taken on an essentially impossible task. There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC, or some unforeseen security breakthrough.

SERVE advocates have two reponses. The first is simple stonewalling (for example, saying “We have addressed all of those problems”, which is just false). I’ll ignore the stonewalling. The second response, which does have some force, says that SERVE is worth pursuing as an experiment. An experiment would have some value in understanding user-interface issues relating to e-voting; and the security risk would be acceptable as long as the experiment was small.

The authors of the report disagree, because they worry that the “experiment” would not be an experiment at all but just the first phase of deployment of a manifestly insecure system. If an experiment is done, and no fraud occurs – or at least no fraud is detected – this might be taken as showing that the system is secure, which it clearly is not.

This reminds me of an analogy used by the physicist Richard Feynman to criticize NASA’s safety culture after the Challenger space shuttle accident. (Feynman served on the Challenger commission, and famously demonstrated the brittleness of the rubber O-ring material by dunking it in his glass of ice water during a hearing.) Feynman likened NASA to a man playing Russian Roulette. The man spins the cylinder, puts the gun to his head, and pulls the trigger. Click; he survives. “Aha!” the man says, “This must be safe.”

UPDATE (Saturday, January 24): The Washington Post site has a chat with Avi Rubin, one of the report’s authors.

UPDATE (Thursday, February 6): The DoD has decided not to use SERVE in the November 2004 elections.

Lately it seems that we’ve seen one story after another about the carelessness of e-voting vendors, especially Diebold. Here are two.

(1) Kim Alexander of the California Voter Foundation (who has been, in my experience, a reliable source of information) reported this:

This afternoon [apparently Tuesday – EF] I attended a meeting of the California Secretary of State’s Voting Systems Panel, which is in charge of certifying and decertifying voting systems for California elections.

At this meeting the initial results from the Secretary of State’s audit of counties using Diebold equipment were released. The Secretary of State’s auditors discovered that of the 17 counties using Diebold equipment (both optical scan and touchscreen), all 17 had some software or firmware version in use that was not certified by the Secretary of State.

It was an astonishing piece of information – no one knew how widespread the problem was of Diebold installing uncertified software in voting systems as was discovered in Alameda County. It turns out all of Diebold’s California clients are using some version of Diebold software or firmware that is not certified by the state.

…

It was a real bombshell. Secretary of State Kevin Shelley came into the meeting to address the panel and spoke very firmly and passionately about the need for voters to have confidence in elections. He also suggested that it is possible Diebold could be decertified in California altogether.

(2) An AP story by Rachel Konrad reported on allegations that Global Election Systems, a company purchased by Diebold, had employed convicted felons, some in upper management. Here’s a sample:

The programmer, Jeffrey Dean, wrote and maintained proprietary code used to count hundreds of thousands of votes as senior vice president of Global Election Systems Inc. Diebold purchased GES in January 2002.

According to a public court document released before GES hired him, Dean served time in a Washington correctional facility for stealing money and tampering with computer files in a scheme that “involved a high degree of sophistication and planning.”

Diebold said that Mr. Dean left his job when Diebold bought GES. Diebold apparently did not comment on the status of the other four current or past employees who are said to be convicted felons.

[Link credit for (2): Siva Vaidhyanathan.]