Excerpts from Dr. Dills Voter Verification Newsletter

Excerpts from Voter Verification Newsletter

David L. Dill ([email protected])
August 12, 2003 http://www.verifiedvoting.org

For previous newsletters, see http://www.verifiedvoting.org/news.asp

http://www.washingtonpost.com/wp-dyn/articles/A42085-2003Aug10.html
The Virginia State Board of Elections had (to) …Certify an upgrade to the state's electronic voting machines ..But with a recent report by Johns Hopkins University computer scientists warning that the system's software could easily be hacked into and election results tampered with, the once perfunctory vote now seemed to carry the weight of democracy and the people's trust along with it. An outside consultant (Brit Williams, the Georgia-based voting machine technologist who also consults for several other states including Virginia) assured the three-member panel recently that the report (by Johns Hopkins University computer scientists) was nonsense. <snip>

...from Dr. Dill) it would have been prudent to seek a broader range of advice.

ILLINOIS …passed a law requiring a voter verifiable paper trail -.. bill has been passed by the legislature and is sitting on the Governor's desk waiting to be signed..SB 428 requires a permanent paper record of the ballot to be printed immediately after the vote is cast, and requires that record to be the official record in case of a recount. Unfortunately, it is missing a clear statement that the voter be able to inspect the record before leaving the premises.. it smoothes the way for touch screen machines with voter verifiable ballots, and excludes the meaningless "audit trail" provided by some vendors by printing ballots from memory after the polls close. http://www.legis.state.il.us/legislation/billstatus.asp?DocNum=428&GAID=3&DocTypeID=SB&LegID=3015&SessionID=3
The U.S. Mail address (to ask Governor to sign SB428)is:
Governor Rod Blagojevich
207 State House
Springfield, IL 62706.
e-mail address is: [email protected]

MARYLAND ..should be an interesting test of Diebold's claims that the
problems found in the Johns Hopkins/Rice study have were fixed in more recent versions of the software… there are reasons to be concerned about whether this review will be truly independent. SAIC has a standing contract with the State of Maryland. Would strong negative findings jeopardize their other business with the state? What constitutes a "security flaw"? Many people have said that there is no way to detect malicious code in these systems. Isn't that a security flaw? But it's unfixable, so the contract would have to be cancelled. On the other hand, it seems unlikely that SAIC could certify the absence of malicious code….Apparently, SAIC is involved in electronic voting (see http://www.divdyn.com/sys5.htm). A clean bill of health for Diebold, or even a list of fixable problems, will have no credibility unless enough details of the evaluation and the results are released to convince independent computer security experts.

COMPUTER CRIME .."salami scams," where a computer is programmed to shave a little off of every transaction and collect the accumulated shavings somewhere for the programmer. (see
http://www.nwfusion.com/newsletters/sec/2002/01467137.html The sheernumber of such stories should make anyone question why the same voting would be immune from similar problems. The article also emphasizes the importance of auditing to catch such problems (there is no sign that the author was thinking about voting: Unfortunately, salami attacks are designed to be difficult to detect. The only hope is that random audits, especially of financial data, will pick up a pattern of discrepancies and lead to discovery. As any accountant will warn, even a tiny error must be tracked down, since it may indicate a much larger problem.

COUNTERACTING SPIN:
1. SPIN: We are discouraging voter participation.

REALITY: We're defending the right to vote.

Here is an example from Sunday's Washington Post article
(http://www.washingtonpost.com/wp-dyn/articles/A42085-2003Aug10.html)

"The computer scientists are saying, 'The machinery you vote on is inaccurate and could be threatened; therefore, don't go. Your vote doesn't mean anything,' " said Penelope Bonsall, director of the Office of Election Administration at the Federal Election Commission. "That negative perception takes years to turn around."

This is an example of the well-known rhetorical technique of "making things up." To my knowledge, no computer scientist has ever said "don't vote." In truth, the machinery DOES threaten our right to vote. But this is not our fault, it is the fault of individuals such as Penelope Bonsall who have ignored years of advice from those who know computer technology. Not voting is self-destructive. The only reason we're having any success with this issue is that elected officials are listening to their constituents, the voters.

2. SPIN: We are focusing suspicion on local election officials.

REALITY: We are worried about local election officials losing control over election administration…the use of DREs limits of the ability of local election officials to ensure accurate elections. If a programmer employed by an election machine manufacturer introduces malicious code into the system that can change votes, even the most competent local election officials will not be able to stop it or detect it.


3. SPIN: We are primarily concerned about "hackers" breaking into voting systems.

REALITY: Bugs and "insider attacks" are the hardest threats to stop.. most economic losses come from computer crimes committed by insiders-- not because insiders are more dishonest, but because it is easier for them to commit the crimes and, sometimes, escape detection.

Of course, it is also important to prevent hacks by outsiders, such as voters. One of the surprises of the recent Johns Hopkins/Rice report is that Diebold failed so badly at this.