taint.org: Justin Mason’s Weblog

E-Voting: Paul Krugman: Fear of Fraud:

It’s election night, and early returns suggest trouble for the incumbent. Then, mysteriously, the vote count stops and observers from the challenger’s campaign see employees of a voting-machine company, one wearing a badge that identifies him as a county official, typing instructions at computers with access to the vote-tabulating software.

When the count resumes, the incumbent pulls ahead. The challenger demands an investigation. But there are no ballots to recount, and election officials allied with the incumbent refuse to release data that could shed light on whether there was tampering with the electronic records.

This isn’t a paranoid fantasy. It’s a true account of a recent election in Riverside County, Calif., reported by Andrew Gumbel of the British newspaper The Independent.

Here is Gumbel’s account. It’s quite simply crazy:

On March 4, Floyd and Cassel saw the second Sequoia employee, Eddie Campbell, return to the registrar’s office and watched him pop into his pocket what looked like a PCMCIA card similar to those used to store votes on individual touchscreen machines. The Sequoia AVC Edge machines do not make a paper record of individual votes, and any record of total votes for a potential recount — vital in a race separated only by 45 votes — would only be stored on that kind of card.

Floyd shouted out: ‘Where are you going with that?’ But he received no answer.

Incredible.

Tags: account, card, challenger, count, e-voting, election, fear, fraud, record, recount, sequoia

eVoting: ‘Spoiling your vote’, e.g. writing in ‘none of the above’ on a ballot paper, is a legally-permitted response to a ballot in Ireland and many other countries. Secrecy in how you vote is constitutionally required.

Aengus Lawlor on the ICTE list points out that it appears the new e-voting system in Ireland will no longer permit spoiling to take place in secrecy.

Indeed, in the 7 constituencies where e-voting machines were trialed in the 2002 Nice Referendum, no spoiled votes were cast. Compare:

• Carlow-Kilkenny: turnout 47,192, Spoiled Votes 244 (that’s 0.51%)
• Cork North-West: 29,056, 144 (0.49%)
• Dublin Central: 28,880, 115 (0.39%)
• Dublin North-Central: 36,532, 93 (0.25%)

with the e-voting constituencies:

• Dublin South: 51,229, 0
• Dublin South-West: 31,336, 0
• Dublin West: 25,659, 0
• Dun Laoghaire: 50,070, 0

A pretty notable anomaly there, ignoring the wishes of 0.5% of the electorate.

On a separate issue — let’s hope the Powervote systems aren’t as bad as the Diebold ones. Here’s the RABA Technologies’ assessment of Diebold AccuVote-TS Voting System security (PDF, 167KB), noting locks picked in 10 seconds, default passwords used to re-encode a voter card as a supervisor card, etc etc.

Tags: ballot, card, central, diebold, evoting, none, secrecy, spoiling, system, vote, west

Great report auditing the security features of the Diebold e-voting systems. Summary: what security?

• despite using relatively ’smart’ smartcards, they don’t actually get those cards to perform an authentication task; they’re just used as ‘dumb’ memory cards, and there’s no central online database of valid card IDs. Plus, the same write password is used for all smartcards.

  So they really might as well have used formatted floppy disks ;) Duplicating cards (a card is a voting opportunity, ‘vote early, vote often’) would be pretty easy, from the sounds of it.

• amazingly, the software does not record the ‘voter serial number’ that appears on the card, when a voter casts a vote. So again, duplicating the cards is trivial. Bizarre.

• all that is required to extract the PIN from an administrator card is a smartcard reader; the PIN is immediately sent in the clear as soon as the card is inserted and the terminal-card protocol initiates.

• for storage on the internal writable media, between voting and the final upload operation, the logs and votes are encrypted using single DES in CBC mode, with a single shared initialization vector. IMO this is not a big deal as far as I can see, as that’s only stored on the hardware; and if someone can read/write to that, they can subvert the WinCE OS anyway.

Then the kicker:

• the votes are then decrypted before being sent in the clear over a dialup internet connection.

The mind boggles.

Tags: authentication, card, diebold, pin, report, security, summary, vote, voter, voting