Saturday, February 18, 2006
Despite Illegalities, Diebold Election Machines Certified In CA
SACRAMENTO, CA - Secretary of State Bruce McPherson today announced his decision to certify with conditions the Diebold TSX and Optical Scan (OS) voting systems for use in California's 2006 elections. The decision comes after months of thorough review of both voting systems, their compliance with both state and federal laws and the completion of an additional security analysis by independent testers from computer labs at the University of California, Berkeley.That's only the first paragraph and we have several problems. In the first sentence we learn that this certification is conditional. We'll get to the conditions later. First consider this summary statement of Diebold's certification efforts published in an April 2004 CA Secretary of State Staff Report (.pdf).
1. marketed and sold the TSx system before it was fully functional, and before it was federally qualified;We've been down this path before. Once again unqualified equipment is given provisional approval, this time despite a clearly documented track record showing Diebold's brazen disregard for such arrangements. They do not genuinely strive to comply with federal laws, and in fact, are currently out of compliance with federal law by inclusion of interpreter code. In his 12/20/05 letter to Diebold (.pdf), Secretary McPherson wrote:
2. misrepresented the status of the TSx system in federal testing in order to obtain state certification;
3. failed to obtain federal qualification of the TSx system despite assurances that it would;
4. failed even to pursue testing of the firmware installed on its TSx machines in California until only weeks before the election, choosing instead to pursue testing of newer firmware that was even further behind in the ITA testing process and that, in some cases, required the use of other software that also was not approved in California;
5. installed uncertified software on election machines in 17 counties;
6. sought last-minute certification of allegedly essential hardware, software and firmware that had not completed federal testing; and
7. in doing so, jeopardized the conduct of the March  Primary.
It is the Secretary of State's position that the source code for the AccuBasic code on these cards, as well as for the AccuBasic interpreter that interprets this code, should have been federally reviewed.So less than two months ago the Secretary recognized the illegal component is present, though without acknowledging that interpreter code is prohibited by both federal guidelines (.doc) and McPherson's own edict (.pdf) requiring compliance with those standards as a condition of state certification. And now he just pretends the equipment is compliant, a fantasy asserted twice in Friday's press release. Let's be clear - the determination of the interpreter code's existence in December and continued presence today should be all that is necessary to reject Diebold's bid for certification.
Furthermore, McPherson's December letter referred Diebold's equipment to the federal Independent Testing Authority (ITA), not the Voting Systems Technology Assessment Advisory Board (VSTAAB). Never mind the conflicts of interest Dr. Avi Rubin recently described between the ITA and the election machine manufacturers who fund them.
So we already had reason to be suspect of McPherson's December maneuver even before he broke his word and stealthily tapped VSTAAB, a newish body that seems to have risen from the ashes of the Voting Systems and Procedures Panel which was hastily disbanded late last year. The VSTAAB, in conjunction with UC Berkeley grad students, issued a 38 page report called "Security Analysis of the Diebold AccuBasic Interpreter" (.pdf) - again confirming the existence of the interpreter code.
While the analysis is too long to fully dissect here and now, GuvWurld will surely pull more detailed quotes in future reports. For now, a "Security Analysis..." summary:
- We did not do a comprehensive code review of the whole codebase, nor look at a very broad range of potential security issues. Instead, we concentrated attention to the AccuBasic scripting language, its compiler, its interpreter, and other code related to potential security vulnerabilities associated with the memory cards.
- We found a number of security vulnerabilities, detailed below. Although the vulnerabilities are serious, they are all easily fixable. Moreover, until the bugs are fixed, the risks can be mitigated through appropriate use procedures. Therefore, we believe the problems as a whole are manageable.
- Memory card attacks are a real threat: We determined that anyone who has access to a memory card of the AV-OS, and can tamper it (i.e. modify its contents), and can have the modified cards used in a voting machine during election, can indeed modify the election results from that machine in a number of ways. The fact that the the results are incorrect cannot be detected except by a recount of the original paper ballots.
- Harri Hursti's attack does work: Mr. Hursti's attack on the AV-OS is definitely real. He was indeed able to change the election results by doing nothing more than modifying the contents of a memory card. He needed no passwords, no cryptographic keys, and no access to any other part of the voting system, including the GEMS election management server.
- Interpreter bugs lead to another, more dangerous family of vulnerabilities: However, there is another category of more serious vulnerabilities we discovered that go well beyond what Mr. Hursti demonstrated, and yet require no more access to the voting system than he had. These vulnerabilities are consequences of bugs--16 in all--in the implementation of the AccuBasic interpreter for the AV-OS. These bugs would have no effect at all in the absence of deliberate tampering, and would not be discovered by any amount of functionality testing; but they could allow an attacker to completely control the behavior of the AV-OS. An attacker could change vote totals, modify reports, change the names of candidates, change the races being voted on, or insert his own code into the running firmware of the machine.
- Successful attacks can only be detected by examining the paper ballots: There would be no way to know that any of these attacks occurred; the canvass procedure would not detect any anomalies, and would just produce incorrect results. The only way to detect and correct the problem would be by recount of the original paper ballots, e.g. during the 1 percent manual recount.
- Interpreted code is contrary to standards: Interpreted code in general is prohibited by the 2002 FEC Voluntary Voting System Standards, and also by the successor standard, the EAC's Voluntary Voting System Guidelines due to take effect in two years. In order for the Diebold software architecture to be in compliance, it would appear that either the AccuBasic language and interpreter have to be removed, or the standard will have to be changed.
Gee, this report is getting awfully long and I've still only commented on the first paragraph of the certification announcement. I'm not going to take this too much further today but I do want to comment a little on the second paragraph:
"As the State's chief elections official, the decision to certify voting systems is a very serious responsibility, and a number of factors must be carefully weighed before I determine whether to grant certification," said Secretary McPherson. "This is precisely why I created 10 strict standards that must be met for a voting system to be certified, making California's process the most stringent in the nation. We have applied these standards and after rigorous scrutiny, I have determined that these Diebold systems can be used for the 2006 elections."The Secretary of State's website has the "10 strict standards" here (.pdf). Check out step 3:
State certification testing does not begin until the federal qualification testing is successfully completed.That is not the only part of the process developing out of order. Public comment and a hearing are the last two steps before Step 10: "Final review of system and decision by Secretary of State." That would suggest the public will yet still have its chance to be heard. Instead, it would seem McPherson is providing his rubber stamp with disregard for the public forums--held last year, out of the "strict standards" sequence--that ran overwhelmingly in opposition to certification for Diebold.
Battles now seem primed to ensue on at least two levels. There will surely be a response on the state level, likely from a host of election integrity organizations banding together. And there must be county level resistance anywhere Boards of Supervisors appear willing to allow their Registrars to accept the path of least resistance. At a minimum, it would be foolish for counties to begin spending money knowing that major modifications must still be undertaken, and that even then, Diebold's track record leaves no basis for confidence that the equipment will be made secure, transparent, and accurate, let alone "compliant" with optional laws. Perhaps the silver lining is this, from Friday's press release (.pdf):
Diebold will be required to make all recommended long-term programming modifications contained in the report and submit the modified product to the Federal Independent Testing Authority (ITA) for requalification and state certification.So not only is the certification provisional, apparently it is going to be completely up for review again if/when Diebold ever complies with the law. So why certify it now? Notice that the press release only mentions California's 2006 elections.
For broader perspective, Diebold is like the hotshot quarterback whose teachers give him passing grades just so he can play ball. The more potent analogy here is Mr. Bush saying unconstitutional spying on Americans is legal - because he is already doing it. If we are not a people beholden to laws, what inhibits our potential responses? Election reform is not a goal unto itself but rather a tactic in the peaceful revolution. Here's a Blueprint.
Non-violent revolution is necessary, NOW!
I read this around noon today and I was so outraged, I took a couple of hours away from my research to write a LTE. Hope you don't mind me paraphrasing heavily from your post.
This is the text I sent the five local papers (Times-Standard, Eureka Reporter, North Coast Journal, Arcata Eye, and The LumberJack):
After reading the February 17, 2006 press release by California Secretary of State Bruce McPherson, and the GuvWorld analysis (http://guvwurld.blogspot.com/2006/02/despite-illegalities-diebold-election.html), I am outraged by this illegal decision to certify Diebold voting machines in California. All the spin in the press release that implies these voting machines are an excellent product with a few easy-to-fix problems ignores the basic facts:
1. The Diebold TSx system has never had federal certification, which McPherson said was required for any system he would consider adopting in California. Why did he ignore this basic requirement?
2. McPherson knows that Diebold misrepresented the TSx as being federally certified as a marketing ploy. Why is he even doing business with such a dishonest company?
3. Diebold has already been caught illegally installing uncertified software on voting machines in 17 counties, including Humboldt. Why is he doing business with a company that admits it has already broken the law?
4. Diebold jeopardized our March Primary by waiting until a few weeks before the election to pursue certification of new hardware and software. Why is he continuing to do business with a company that manufactures crises to pressure him into hasty decisions?
5. McPherson knows Diebold is using illegal interpreter code (AccuBasic). Again, why is he continuing to do business with Diebold when they continue to break the election laws?
6. McPherson knows the bugs in Diebold's TSx voting machines are huge gaping security holes because that's what his independent report from UC Berkeley told him. He claims his list of security precautions will prevent anyone from taking advantage of these fundamental design failures. Why is he accepting a computerized system that depends completely on individuals for its security?
I thought one of the main reasons we turned to electronic voting was to improve accuracy and security. Remember the days when stuffing ballot boxes was common? "Vote early and vote often," and high voter turnout from the graveyards in Chicago? Instead, we're making it easier for those elements of politics to hijack our elections without being caught. Most of the people at the precincts are volunteers, and in a small town everything's informal, so it's unlikely the security rules will be followed to the letter. Any reasonably competent computer geek who got access to the equipment could change the results--with no way to prove anything was changed.
In other words, there is no way we can be confident the results of elections reported on Diebold machines actually reflect the ballots cast. Doesn't this undermine the whole point of having a free, democratic election?
So why is our Secretary of State certifying electronic voting machines that are so insecure we have no basis for confidence in any election results they report? We, the citizens (and registered voters) of California must demand an investigation of Bruce McPherson for his illegal certification of Diebold voting machines. We must hold him accountable for dealing with a company known to operate outside the law and jeopardizing our democracy.
Graduate Student, Humboldt State University
By 2:21 PM, at
Update: My letter was published this morning the the Eureka Reporter as a Guest Column.
I just got a call from an elderly gentleman (83) congratulating us for standing up to the voting officials. Seems he's had problems with Elections Manager Lindsay McWilliams over the 10-minute time limit in the voting booth. McWilliams told him that local officials could make up any rules they wanted, wihch neither of us thought was appropriate. My caller said he even photographed the "10-minute limit" signs and took the pictures to Representative Mike Thompson's office. I should've asked if he wanted to join the Voter Confidence Committee. (I saved his number on my phone in case it would be OK to call him back.)
By 2:24 PM, at