How To Spot E-Vote Tampering?

Precinct Election Judge writes "I am one of the Republican Party Precinct Chairs in Harris County, Texas. Since in 2006 Republican Rick Perry won the Governor's race in my precinct I will be the head election judge at my polling station this November. (My Democratic counterpart will be assistant election judge.) I have read with interest the stories about voting machine hacking, and I want advice from those of you who are experts on what to watch for to make sure there is no fraudulent activity at my precinct during the election. What activities should I look for? Keep in mind my restrictions: I will be at a table in the front of the room with the voter rolls signing people in, I can only approach the voting machines if a voter asks a question or if I have strong reason to believe there is fraudulent activity, the last thing I need is for someone to say the Republicans are trying to keep people from voting! And finally, although each station and voter will be visible from my seat each machine has 'blinders' around it so I will most likely not be able to see the hands of each voter while they are at the station. Thank you in advance for all suggestions."

You won't see most of the fraud

[Dracos]

The most egregious fraud on electronic voting machines is completely out of your control, and most likely happens out of sight of any precinct level election official: in the software that is installed on the machines. Unless you have the authority and knowledge to inspect many thousands of lines of code on each machine, you are powerless in this regard.

However, most machines have some type of USB, SD card, or other hardware interface that might be protected with some type of tamper proofing, like the foil seals on aspirin bottles. This is probably beyond your authority to put in place, though.

The only thing you can do is pay attention to the tabulations, if you get to see them.

I recommend you watch Hacking Democracy for insight on what to watch for.

Black Box Voting Org

[OzPeter]

In all fairness to the /. crowd, I'd say that the best place to ask this question would be the forums of http://www.blackboxvoting.org/ [blackboxvoting.org] From what I have read of their analysis of previous elections I would guess that they have seen it all before.

Re:How To Spot E-Vote Tampering?

[Dracos]

Remember: Diebold changed their name to Premier Election Systems last year.

honesty is tricky

[Jaazaniah]

Unlike our first commentor, this is a more serious approach to the problem. Depending on the model of machine you're using, there's really no way to spot it as it's happening given your restriction set. Your problem is not with "box" stuffer vulnerability, but record vulnerability - Slashdot's collective outcry has been because there was no security or checks and balances put into Diebold's (and their later off-shoots) machines, causing potential for huge abuse at any point before voting, and any point after voting until announcements are made. We think contracts were pushed to facilitate this weakness in the system, but are powerless to change it individually. As a disclaimer, the following measures, even if followed to the letter, will not guarantee vote security if using machines with the above mentioned vulnerabilities, and will not permit any politician to pretend otherwise. That said, here are problems on the systems themselves that should not be allowed by default to address your time of interest (voting); open ports - of the system has a floppy drive, a cd rom drive, or any sort of pluggable port besides the power cord, that is accessable with moderate difficulty, that's a breach waiting to happen. Ask your technitions this specific question - "are there any IR or radio devices in these terminals?" A program built to listen for wireless devices is just as serious as a USB port being open. Ask them about the system inputs. If there are keyboards, "have you disabled all possible shortcut key combinations to prevent system access?" There is more that could possibly go wrong, but I'm sure Slashdot will have plenty to say. P.S. Hope you weren't expecting an overall warm welcome - your party's reputation here was shredded and torched over the past 8 years.

before, during, after

[beegle]

I think it's important to realize that voting machines are so insecure that preventing fraud entirely is impossible. That said,

1) Ensure that the machines are physically safe before the election. Don't leave them in an insecure area between the time that you check them to ensure that the counts are at zero (and DO check that) and the time that voting begins. Allow nobody near the machines without both ID and a witness at all times, including yourself (you don't want to be accused of anything), ESPECIALLY if they claim to work for the company that makes the machines. In fact, if anyone you don't know shows up to work on the machines, get approval from as far up the chain of command as can be managed and WRITE DOWN the name, time, etc. if it happens. Consider some sort of tamper-evident seal for the area where the machines are stored (your local trucking company can provide you with a handful of the ones that they use on freight trailers).

2) Watch for voters who are holding either memory cards or keys. The best-publicized ways of messing with a machine involve unlocking the machine and/or inserting a card with altered data. Keep in mind that the memory cards can be a lot smaller than those giant plastic cases around some of the official cards. Also keep in mind that if you see this, it might just be somebody with a spare memory card for their camera and a set of car keys.

3) After the polls close, physical access becomes a big deal again. Don't allow anyone near the machines or cards without ID and a witness, including yourself. Ensure that the machines are locked away, and find out who has a copy of the key to the room/closet/truck/whatever.

Re:Start with the obvious

[Em Adespoton]

On election day (since the machine could have an internal clock and work just fine any other day), leave one voting machine alone, and at the end of the day, cast your ballot on it (this may be necessary to "activate" it).

Then check the machine and see if your vote was counted correctly.

Expensive, but an extremely good idea; I'd add that you should have a number of people cast ballots who will cast known ballots.

If you make sure all administrative openings are taped over with tamper-resistant tape, keep one (random) stataion aside during the voting and then have a "control" group vote using it, that's about all you can do from your end, apart from preventing e-stations from being used in the first place.

Re:Black Box Voting Org

[OzPeter]

replying to my own post. I found some analysis that I had seen before about Sequoia e-voting machines used in the 2004 presidential race in Palm Beach County (FL). When I first saw this data I was astounded at what their analysis showed. Assuming that BBV is a fair and honest non-profit (after all you should be suspicious of everyones motives when dealing with things like this) what they found is horrifying. http://www.bbvforums.org/forums/messages/1954/19421.html?1141918235 [bbvforums.org]

Re:That's the hard part

[dascritch]

Here in France, the ballot box is transparent (plexiglas) and most of the time, vote are put in a envelope.

But it is also true that we are planning elections so that never more than two simultaneous consultations are done the same day (and never during Presidential Indecisions days).

I was assesseur (co-judge) in numerous elections, and we rarely have to count more than one hour for 2000 exprimed votes. I think symbolic transparency of the ballot box help to have more than 50% of participation for major elections (less are European votes, with 40%)

Re:That's the hard part

[FredFredrickson]

You can have a paper trail without losing anonymity

Good sources of Info.

[Irvu]

I'm assuming that you have the Hart InterCivic system as stated by The Verifier [verifiedvoting.org]. In that event, as other authiors have noted you may have no hope of detecting truly electrionic tampering. However you may spot some things. The links below also apply to Diebold and ES&S systems as well.

I would be sure, to tell all voters to read the confirmation screen carefully. Many other locations have reported instances of vote switching where voters, once they reach the closing screen, see a different outcome than they pushed. Evidence from a Rice University study indicates that less than 30% of people even read this screen but those that do have reported nontrivial numbers of flipped votes.

Secondly I would educate yourself about the machines. Ohio's Everest study [state.oh.us], particularly chapter 14 [state.oh.us] contains many scary things about the machines. Some you can look for, many you cannot.

You will also find information from the California study [ca.gov] notably the red-team reviews of the hart system.

Voters Unite is also a source of some good info As does [votersunite.org]Pollworkers.us [pollworker.us] which is a useful site for those working the polls.

Re:Do you have a paper trail?

[SatanicPuppy]

Horse. Shit.

Where I live the requirement for electronic voting machines means that poorer areas, who can't afford enough of them have lines that routinely take hours to get through, which damn well disenfranchises people every damn election...Lot of poor people have jobs that are real understanding of a 4-hour "vote break".

Don't even try to sell it on that grounds, because there are people all over this country whose franchise would be a lot easier to exercise if they could just use a pencil and a piece of paper.

Austin Parallel Testing

[Anonymous Coward]

The new kind of voter fraud that is introduced by electronic voting machines is one where the software pre-installed is corrupt. Certainly, people can try to hack the machine at the voting booth, but that can be spotted more easily and has less overall impact. Corrupt software, however, has the potential to steal many more votes. The probability of corrupt software increases when the software is proprietary, but that's all there is right now (nudge to visionaries: develop open-source voting machine with paper trail, sell machines to counties like this one, Profit!).

In Travis County, TX (where I live) they have a system in place that uses "parallel testing." This is where they randomly select a machine at each precinct at the start of election day and vote a randomly selected number of times throughout the day to simulate people voting. They keep track of how they voted and verify that was what was recorded correctly at the end of the day. Not foolproof, but pretty smart and a good safeguard.

Here's the report (very cheesy):
http://www.co.travis.tx.us/county_clerk/election/pdfs/NIST_paper_051005.pdf

Re:Do you have a paper trail?

[TrinSF]

The voting machines we use are the Hart E-Slate machines, which are coincidentally the only machines that have been re-certified in California so far. Alas, I'm not a designer of election equipment -- I'm a precinct inspector, which means I'm in charge of a single voting precinct. I would suggest inquiring to Hart directly about the planning involved in voting systems. What I can tell you is that we have multi-inputs, including sip-and-puff, and multiple outputs. My impression is that we can, with attachments, provide braille-based output and verification for voters, but I haven't had to do so thus far. (And such attachments are expensive enough that they are not provided to every precinct and every voting unit.) However, I have had sip-and-puff and blind voters, who all had previously been unable to vote without assistance.

Re:Just ask the votes

[urcreepyneighbor]

This is called an "exit poll" and it's remarkably accurate.

Really? People do lie, you know. I lie - out of principle - whenever I'm polled.

According to my local papers, I'm illiterate. :)

Except of course in the last couple of elections in the USA, where the exit polls utterly failed,

Race is going to be a big factor for 08. White folks, not liking to be perceived as "racist", will lie their lily white asses off if they're asked who they voted for.

Well, those that care. As for trolls like me, I have nothing to lose. Society has already shunned me. I'm voting for McCain or Barr.

Consult an expert

[kilpatjr]

Voting security research is happening in Houston at Rice. Get in contact with Dan Wallach in the Computer Science department.

Post Results!

[Anonymous Coward]

Here in NM, the law says that after the polls close, we (poll workers) must POST A COPY of the paper trail outside the precinct so voters can see within their district how many votes each candidate got in each race.

This doesn't prevent the kind of tampering that happens at the central tabulator, as in Ohio in 2004, but it does give us all (voters) the opportunity to have a greater chance of seeing shinnanigans early so we can know when it is obvious that we need to jump up and down about something.

Re:Someone please...

[WinPimp2K]

troll, funny, does not matter.

I live in Harris Co. and the machines are pretty horrendous. They look pretty, but there is no form of verification whatsoever. As for the asshats who say that we have secure electronic systems for securities trading, credit card systems and bank ATMs... well just remember that not one of those systems is anonymous.

As to detecting "fradulent activity" as an election judge, well if you hear somone operating a power screwdriver or see small parts being dropped on the floor, well that is about as good as you can get on detecting tampering with those damnable machines. In other words, you are not going to detect any fraud that involves hacking the machines. You are limited to what you can do to prevent "old fashioned" fraud - ie the vote early and often crowd. Since there are no ballot boxes you don't have to worry about them being tampered with :)

Now if you could demand photo ID (and anyone presenting those cards from the Mexican consulate should be immediately deported) and compare that against your local voter rolls that would be nice. It would also be nice if you had some way to update your voter rolls by checking against death certificates issued in the last year.

Using a machine as an interface would be fine, just let it print a darn ballot that the voter can verify.

Re:Do you have a paper trail?

[TheMCP]

I'll go one further. If it doesn't produce paper ballots which are readable by the voter to ensure they reflect the voter's intent, and which are counted rather than a direct electronic tally, the system can be hacked. Period.

As a computer scientist and programmer I have 0% confidence in any system which doesn't produce a paper audit trail, but even if it does, if the voter can't personally validate that the audit trail for their vote reflects their intent, the system could still just be producing a phony audit trail.

Re:Just ask the votes

[Blakey Rat]

So, standard solution: ask the people as they leave the polling station.

This is called an "exit poll" and it's remarkably accurate. Except of course in the last couple of elections in the USA, where the exit polls utterly failed, especially in districts that had new shiny e-voting machines with no paper trail.

You can't make exit polls part of the official process, as then it would no longer be a secret ballot. Unless you do an exit poll with complete anonymity, in which case you're just making people vote twice.

Also, as a resident of the west coast, I hate exit polls with a passion. Getting the early poll results from the east coast before our voting locations even open has to influence voters in an extremely negative way. I'd prefer the press be banned from reporting any polls or results until after polls close on the west coast, personally. Damned free press. ;)

Educate yourself about the entire process

[TrinSF]

I work as a elections inspector in California, which means that I'm in charge of a single precinct -- I'm basically the head pollworker, responsible for the accountability of the ballots and equipment from the time it's delivered to me until the time I turn it in immediately after the election. Because of that, it's important that I am fully aware of what's going on with our equipment and alert to the possibility of tampering. My best defense has been knowledge -- which is a double-edged sword. I know how our system works. I understand the reasoning for each step of our process. I've taken every possible class offered by our county and achieved the highest possible level of certified proficiency with the equipment. So, instead of wondering what could go wrong, I understand the risk areas. For example, our equipment now has unique coded seals for every unused input/output port, and I know to watch to ensure those stay intact.

Ask "Why?" Ask to have equipment and processes explained to you. But at the same time, make sure that every moment of the day, you're acting beyond reproach. I hold my poll workers to very high standards, because every moment of every day, we're possibly under scrutiny, and it's important that there never be even the slightest incorrect impression that we're not being fully compliant to the rules and laws involved. I've actually had poll workers get angry and leave early because I was asking them to comply with the rules and they were unhappy being told, "No, you can't talk to your friend who is voting about politics" or "No, you can't imply you don't like a candidate by giving someone a funny look when they ask about a ballot option," or "No, you can't use your laptop/PDA/cellphone in our polling place".

But I'm pretty freakin' idealistic about what I do. If I lived where I grew up, I'd be a poll worker in a place where these have been real problems for decades. Right now, I live and work as a poll worker in a part of the country that has not historically had problems with voter disenfranchisement. So my work may have less meaning, in some ways, but it's still important. (Sorry, I feel very strongly about what I do, and it's hard not to talk about that.)

Re:Do you have a paper trail?

[TrinSF]

If the voter cancels their ballot at that point, the vote is cancelled, they're assigned a new machine, and that ballot is marked invalid. It's actually a really big deal, which is why voters approve their ballot three times. Once before it prints to the paper copy, again to approve the paper copy, and a final time to count the vote.

BTW, changing one in 20 votes would not be enough to swing elections for us -- I have between 50 and 200 voters in elections -- and more than double that cast absentee ballots -- and the margins in their votes tends to be very large, more than 20-30 percent. They're pretty homogenous in their voting habits. But hey, it's the Bay Area, it's like that.

Re:Just ask the votes

[liegeofmelkor]

First, let me say that I'm not trying to say that e-voting machines are secure. They have a number of unique vulnerabilities which could be corrected with proper planning and procedures.

However, suggesting the reliability of exit polls as an indicator of tampering is not a solution. There are social considerations involved in conducting the poll. The buzzword floating around this season is the Bradley effect [wikipedia.org] and described the observed tendency of exit polls to systematically overreport the performance of minority candidates. A cause is presumed to be the voter's fear of being branded racist by the poll-taker. Additionally, a number other factors in poll methodology can bias results, such as the time of day at which exit poll-taking ceases (with respect to poll closing time) (see Exit polls [wikipedia.org]).

Granted, if major tampering at a location has occurred, then exit poll will likely not match the polling location results. However, you can't use the converse of this statement to assert a rigged election (see any discussion of a logical contrapositive vs logical converse). The exit poll can only serve as an indicator that further investigation of tampering might be prudent. But, without an intelligently designed paper trail and paper trail chain of custody, those investigations won't find anything...

.

Just barely better than no paper trail at all

[mbessey]

It's just great that California has instituted a requirement for a voter-verifiable paper trail for e-voting machines, but the fundamental problems still remain.

The problem with these machines is that there's no guarantee that the ballot that the voter verified actually matches what gets recorded in the memory of the machine, and what eventually gets transmitted upstream.

Yes, a manual recount based on the paper trail would catch massive vote fraud - but that's only going to happen if the results are obviously bogus.

The results of the voting machine review that the CA Secretary of State performed are here:
http://www.sos.ca.gov/elections/elections_vsr.htm [ca.gov]

Reading those reports is pretty scary. The state identified a bunch of weaknesses in the various systems, and imposed requirements on the vendors to plug the most egregious security holes. But there are literally DOZENS of operational requirements imposed to ensure that the voting is secure and that the privacy of voters is maintained.

Things to watch for

[goombah99]

First your question holds the telescope at the wrong end. Tampering by voters is much less likely to occur because it is unlikely to change an election out come or occur in an undetectable manner. The people to watch are the election officials, with pre-a nd post voting access to the machines.

That said what a voter can do depends on what machines you have in use. Lets consider the big three Diebold, Seqouia edge or ES&S ivotronic and no voter verified paper trails.

On the ES&S, the voter is usually facing the machine in a privacy carrel and the machine is a flat block. It very possible for a voter to complete obscure the following transaction ( I know because I've done it). Flip the 5 pound machine over and you find little plastic door. you can easily force this open. Behind it is the Flash memory cards. Yank these out and put them in your pocket. close the food and flip the machine over. Leave and the election is screwed.

It's also possible a diabolically well outfitted voter could have a second PBS device in his pocket. Armed with that, he can can admin access to the machine and do anything they like and vote as many times as they wish.

With Sequoias edges, depending on the model revision number there can be a little yellow button on the back. Pressing that causes the machine to go in to supervisor mode. If I lean forward I can just reach around and get that button. If you were watching you could see me execute this clumsy maneauver.

I've never had the chance to play with diebolds so I can't offer specifics Some diebolds have an unguarded IR port that a hacker might be able to do something interesting with on their palm pilot. But I don't think there's any known attacks yet.

On all of these machines, it's possible to miscalibrate the screens. The screens can be miscalibrated by heat or scratching them with keys. In the neighboring county we had one guy running for office actually carve his name into the machine. Unfucking believable.

That same county had a vote buying operation going on (a few people got arrested and convicted). So make sure people vote alone.

For systems with paper tapes (not paper ballots) you can sell your vote if you have a camera or cell-phone camera because a picture of the voted paper tape before it scrolls out of sight is proof of vote. So no cameras!

But the problem with all these is that there's a huge risk to the bad voter and they can only affect a few votes. At worst they wreck one machine and probably get caught. Vote flipping is hard if not impossible at the retail level.

THe really fun things happen when supervisors can reprogram systems, get access to the flash media and have the ability to replace it.

Perhaps the best way to sabotage an election is the Denial of Service attack. Simply having machines not boot in the morning tends to filter out working wage-class folks over seniors or people on salaries. Having long lines in the late afternoon filters out working moms that have to go pick up the kids and take them to soccer practice. Likewise breakdowns in the evening are cool because you can close the polls while there are still people who have not voted. (see Ohio for example).

Re:Let me be sure I understand....

[TrinSF]

When you sign your name, if you look at the fine print on the page, you are signing to verify under penalty of law that you are who you say you are. And when you print your address, if you look at the fine print, by printing it you are certifying that's where you live. Because you had to sign a voter registration card at some point in the past in order to be in that roster, your signature is on file somewhere, and should anyone have a question about the votes in your precinct, the signatures in the roster book could be compared to the voter signatures on file.

Just in case you ever wondered. As I've explained elsewhere, ID's are not required because historically, that's been used as a primary way to disenfranchise voters.

Sorry, but your facts are wrong.

[Jane Q. Public]

You are wrong on nearly all counts.

(1) E-voting tampering has proven to be rampant and has been reported virtually "everywhere", i.e., it is impossible to predict what precinct will be victim, rural or otherwise.

(2) "The people", sophisticated or not, are not the problem. The problem is sophisticated, carefully prepared, and sneaky people who are in positions of authority or easy access. That is, the people to watch are voting officials and employees of the voting machine company, and anyone else who has "special" access, even if that is just tallying the count.

(3) Real errors are few, and they are EASY to distinguish from fraud. In order for electronic voting fraud to be worthwhile, each tampered machine must have significantly skewed results. You are correct, however, that "appearance of fraud" can be a problem.

You are also correct that transparency is your greatest ally. However, all the "apparent", public transparency you can muster will not compensate for "oddly designed" or hacked software on the voting machine. The only transparency that will solve that problem is public access to the machine's code. Some states are adopting laws to that effect.