Iowa Voters

Democrats loved HAVA in the beginning. It was going to end the large number of spoiled or undervoted ballots that plagued some Democratic precincts. “Don’t worry about that paper trail nonsense,” they said. “Democrats will win more votes with new e-vote machines because more votes will get counted.”

New Mexico saw the opposite result. In 2004 they made the switch to electronic machines. In 2006 they switched back to voter marked paper as a way to satisfy the public demand for paper trails. The undervote rate went up six-fold in some of the most Democratic precincts in 2004 and came back down in 2006. Stunning.

Here’s the research: link

The 18,000 missing votes in Sarasota, Florida resulted in a study of the voting machines that was released this week. It say the machines are “terribly insecure“. Iowa uses similar machines in Emmett, Calhoun, Clayton, Clinton, Fayette, Jasper, Johnson, and Lee counties.

Commenting on the report, computer scientist Ed Felton of Princeton says:

Experience teaches that systems that are insecure tend to be unreliable as well — they tend to go wrong on their own even if nobody is attacking them. Code that is laced with buffer overruns, array out-of-bounds errors, integer overflow errors, and the like tends to be flaky. Sporadic undervotes are the kind of behavior you would expect to see from a flaky voting technology.

Missing votes may be in our future, too, if we continue to use tally our votes on touchscreens.

Update: Photos and first person account of this story are here.

Another Princeton University scientist has hacked into another brand of voting machine. It took seven seconds to pick the lock. Then he wrote vote-stealing software that would run only on a certain Tuesday in November. He said the machine was a hacker’s dream. They are used all over New Jersey.

Last summer it was Diebold stuff that came under the knife at Princeton. Similar Diebolds are used in Iowa.

This time it was Sequoia voting machines. They had been sold on the internet by officials in North Carolina. The Princeton man spent $82 to get 5 of them. Recently New Jersey bought nearly identical devices for $8,000 each. Over 100 machines were sold from GovDeals.com. The Princeton purchaser points out that

He is confident his students and other recent buyers of 136 Sequoia machines sold on GovDeals.com — where bidders also can find surplus coffins, locomotives and World War I cannons — will crack Sequoia’s code.

Then, he said, it will be fairly simple for anyone with bad intentions and a screwdriver to swap Sequoia’s memory chips for reprogrammed ones.

Don’t tear your hair out just yet: I’ve only told half the story.

The other half is an allegation that NJ never tests its voting machines, despite state law saying they must do so. New Jersey law is remarkably like Iowa law. Three examiners (same as in Iowa) get paid $150 each (same as in Iowa) by the voting machines company (same as in Iowa) to examine the machine for compliance with vague criteria (same as in Iowa).

Have no faith in paperless voting machines. No one is minding the store.

Thanks to John Gideon of Voter’s Unite for calling attention to this NJ story. John’s been doing this sort of work for two or three years now. He is one of my main tipsters.

Iowa’s election director Sandy Steinbach has been contradicted in a report to the federal Election Assistance Commission (EAC). The report resulted in the exclusion of Ciber laboratory from its previous role as an independent testing authority(ITA) dealing in voting machines. Ciber has “tested” all of Iowa’s voting machines, according to Steinbach.

In a January 8, 2007 email to me, Steinbach said Ciber was no longer allowed to test voting machines merely because some administrative hurdles had not been cleared. She wrote:

Ciber applied for EAC certification. The reason that the Ciber did not receive EAC certification was the administrative requirements. Ciber’s technical capability is not in question. You can verify this by calling Brian Hancock at the EAC.

But the newly released report says Ciber’s technical capability is in fact the problem. It says Ciber cannot show it follows its own testing protocol and that:

“CIBER has not shown the resources to provide a reliable product. The current quality management plan requires more time to spend on managing the process than they appear to have available and it was clear during the assessment visit that they had not accepted that they have a responsibility to provide quality reviewed reports that show what was done in testing. The ITA Practice Director indicated during the assessment that their difficulties were that corporate CIBER did not allow for the personnel resource time for quality management functions . . . .

Worse than that, the report says Ciber admitted :

. . .that the testing for a product tends to either use vendor developed tests or new tests developed specifically for the product – they have no standard test methods defined. This makes their testing dependent on the vendor input and vulnerable to unique vendor interpretations . . .

In short, the feds now know that the so-called independent testing authorites, who provide a patina of legitimacy for secretive computerized voting machines, are not independent, not doing the testing, and not authorities of any sort. We critics have been saying that for years. Give us ten more points. Score now at 193-0.

The report had not been made public when Steinbach wrote her email. It became public when New York officials threatened to subpoena it.

The most puzzling part of this report is its reporter, Steve Freeman. He once served under Sandy Steinbach when they both dealt with the ITAs for the National Association of State Election Directors(NASED). Why is Freeman criticizing Ciber now after years of accepting their work at face value? Perhaps Steinbach has already explained. In her email she lamented:

Our reviewers spent literally thousands of unpaid hours and accomplished a great improvement in the quality of voting system reliability. . . .Did we have the formidable resources now in the hands of the EAC? No. Given what we had to work with the NASED program accomplished a great deal. It was not perfect. NASED, fully recognizing our own limitations (no budget or paid staff, with voluntary standards that we had to beg for years to have updated, neither the authority nor the resources to go in and audit the labs) worked for many years to gain federal interest in the voting system testing process.

So Ciber was the wizard of Oz, hiding behind a curtain of proprietary secrecy, doing wonderful things for vendors and fooling the NASED volunteers, including Steinbach. I wonder if she feels betrayed.

In light of the increase in contested elections since 2000:

* the 18,000 missing votes in Sarasota, Florida in 2006
* the decertification of the lab that “tested” a majority of US voting machines
* the conviction of two Ohio election officials for rigging the 2004 presidential recount

concerned citizens are questioning the integrity of our voting systems.

A recent recommendation released by the National Election Data Archive (NEDA) suggests that a system for election audits may be the solution to ensuring the integrity of election outcomes.

NEDA’s new paper provides a small table to look up the margin between the leading candidates to find a percentage and a minimum election audit amount that would ensure that election outcomes are accurate.

For example, if we wanted to audit the Boswell-Lamberti election, the table says we would have to hand count the ballots in 6 precincts because the margin of victory was just over 5%.

There are two problems with this. First, some counties in the district are unauditable since their voting machines leave no paper trail. We know how to fix that, don’t we?

Second, the NEDA formula is so simple that it might miss some manipulated precinct results–even missing enough mischief that we have only a low degree of confidence that our audit has been effective. For example, the NEDA paper assumes 440 precincts in a Congressional district, whereas the Des Moines area district has only 330.

There are other formulas for selecting the number of precincts to audit, and I’ll look into them later. For now remember that getting a paper trail is only the first step if we want to guarantee election returns that are counted by software. Auditing is the second step. We need both.

If you can handle some math or like colorful tables, you might want to examine the NEDA paper.

Two high ranking county election workers in Ohio have been found guilty of rigging the recount in 2004. They were required to recount three per cent of their presidential votes. If any discrepencies were found, a full recount would be conducted.

So to make sure they avoided the full recount

the employees broke the law when they worked behind closed doors three days before the public Dec. 16, 2004, recount to pick ballots they knew would not cause discrepancies when checked by hand so they could avoid a lengthier, more expensive hand recount of all votes.

Remember how Diebold claims its election software doesn’t really need to be secure because there is no such thing as dishonest election workers?

State election director Sandy Steinbach reports that all of the voting machines in Iowa were tested by Ciber laboratory. Ciber has now been barred from further testing by the federal Election Assistance Commission(EAC). The EAC action was taken in July but kept secret until the New York Times broke the story last week. According to the Times, Ciber was suspended because it “was not following its quality-control procedures and could not document that it was conducting all the required tests.”

Steinbach was until recently an overseer of Ciber and two other test labs(ITAs), in that she directed the volunteer voting technology board for the National Association of State Election Directors (NASED). The NASED board was supplanted by the EAC last summer. Steinbach said her NASED board over the years

noted deficiencies in ITA reports and returned reports to the test labs for additional documentation on numerous occasions. . . .NASED . . .[had] neither the authority nor the resources to go in and audit the labs

Steinbach characterizes the 2006 decision of the EAC to bar Ciber this way:

These labs have to, first, be certified by [the National Institute for Standards and Technology] and then comply with the EAC criteria. These criteria contain
extensive administrative requirements as well as technical requirements. . . . The reason that the Ciber did not receive EAC certification was the administrative requirements. Ciber’s technical capability is not in question.

Ciber may indeed be technically savvy, as Steinbach believes. But if they weren’t documenting that they did the testing they said they were doing, well, then maybe they weren’t actually doing it. Maybe those savvy techicians were busy elsewhere since NASED had no way to double check. Stranger things have happened.

Software tester John Washburn suspects Ciber’s work, too. He cites a list of questionable work by Ciber and discusses the certification process that Ciber flunked. John Gideon has even more on the EAC decision.

More than once (in Pocahontas, in Fort Dodge) I personally heard voting machine advocates tell an audience that touchsreen software was tested to the N-th degree, even “line by line”.

Only a couple federally sanctioned labs ever tested software in voting machines. Now comes news that one of them (Ciber) has been blocked from further such work because of poor quality control.

Score another point for the critics of current voting machines and the way they get evaluated. The score is about 183 to 0 now.

The Technical Guidelines Developement Committee(TGDC), which was created by the National Institute for Standards and Technology (NIST) to advise the federal Election Assistance Committee(EAC), has proposed an improvement in voting machine design. Yesterday they said–unanimously–that elections must not depend on software.

They propose that any voting equipment that gets certified under the 2008 standards must have a paper trail or some other safety feature that is not based on software. They said you can never be sure about software. They must be terrorists!

The proposed change must go through a public comment period, if the EAC agrees to adopt the TGDC’s advice

One of the goals of the Help America Vote Act was to end the problem of uncounted ballots. One reason they are uncounted is that voters don’t fill them out correctly or completely.

HAVA said voters must be warned about any unvoted portions of the ballot. Counties bought new equipment to achieve this. Touchscreens were supposed to warn people of unvoted races just before the voter finishes. So why are some races undervoted by 20% or more?

Here is a photo of a Florida ballot race for Congress that was missed by nearly 20% of the voters. I can see why it happened. It is just like the infamous butterfly ballot. The problem is in the layout. Ballot designers don’t need new equipment, they just need better graphics.

In the photo the touchscreen is dominated by the race for Governor and its seven choices. The most eye-catching word on the page is “STATE”, which indicates the move from federal offices above to state offices below. It is easy to ignore the Congressional race at the top of the page once your eye lands on the Governor’s race.

I’m guessing the reason the review page at the end of the ballot didn’t prevent this undervote is because of some similar graphic problem.

Paper ballot scanners aren’t much better. My ballot was rejected by the scanner Tuesday. I knew there was a tiny LED screen on the scanner. I looked at it for an explanation, but the message blinked off before I could decipher it. I tried running the ballot in again, thinking I’d check the message more quickly. This time the ballot was accepted! So I never got to fix what was undervoted.

My wife said she left the entire back side of the ballot unmarked. But her ballot was not rejected for undervotes.

Thus we have expensive new equipment that has made much more work for precinct workers and we still have undervotes.

Some 18,000 voters failed to get credit for their votes in a hotly contested Congressional race in Florida Tuesday. There is no paper trail for most of them. The race has been “decided” by a 368 vote margin.

It’s ironic that these same voters approved a local ballot initiative to require paper trails in the future. Their iVotronic voting machines are from ES&S and similar to those used in Fayette and Clinton counties (among others) in Iowa.

Here’s an excellent account of how this is a voting machine problem, not a voter problem:

This so-called “undervote” raised suspicions among Democrats because it represented almost 13 percent of all people who cast ballots in Sarasota County on Tuesday.

That percentage is high by almost anyone’s standards — especially in a race in which the candidates raised $8 million to reach out to voters through TV and other advertising.

By contrast, the undervote in the U.S. Senate contest in Sarasota was only 1,600. In the governor’s race, it was only 1,800.

Ironically, even a Sarasota County charter amendment requiring the use of a paper trail with voting machines registered an undervote of only 8,885. The amendment passed.

Not every part of the Congressional District lies in Sarasota. Other parts of the district have scanned paper ballots. They didn’t have very many undervotes by their citizens. The Miami Herald reports:

The House District 13 undervote rate was more than 10 times higher than the two elections that bookended it: the governor’s race and the U.S. Senate race Harris lost. The undervotes in Sarasota also stick out next to those from comparable Manatee County, where the no-vote rate was about 3 percent. Manatee uses fill-in-the-blank, optical-scan machines, as does Sarasota for absentee voters.

In a classic BLAME THE VICTUM response, a state official said,

“There is a bit of voter responsibility when you’re casting your ballot.”

and

‘’You can’t really get in the minds of the voter,'’ Nash said, noting people decide not to cast ballots out of protest or because they just wanted to sign in on Election Day to preserve a good voting record.

The local officials are no more sympathetic:

“We did a good election,” said Kathy Dent, Sarasota County’s top election official.

More irony: This is the House seat being vacated by Katherine Harris, Secretary of State during the 2000 partial recount of the Presidential race. No recount is possible this time, so no problem, I guess.

I returned to the Havelock poll with copies of the rules on voter identification and found Diebold’s local distributor had a man on the scene to get the touchscreen working. It turns out that the touchscreens are “touchy.”

According to the repairman the program card was loose and not making electrical contact. He said it probably shook loose in transit. He pushed it tightly into place and that fixed it.

He also said he had brought with him a duplicate program card, just in case. Isn’t this the card that must be protected with security tape? How is it that vendors run around with spare parts in their pockets? Do they have security tape on their pockets?

Meanwhile the paper scanner had caused another mishap. A voter had left his ballot on the scanner and he had left the polls. Pollworker Gary said the ballot was not marked by filling in the ovals but by marking the actual names on the ballot. The scanner machine considered it an “undervoted” ballot and spit it back out. The voter either didn’t notice or didn’t know that he was supposed to do something about it and he left the polling place.

Gary said the voter’s intended votes were quite clear, so they put it in a provisional ballot envelope for the county to deal with tonight.

I’m guessing this vote will go uncounted. Iowa does not require the pollworkers to try to discern the intent of the voter. It requires the voters to mark the ballot as directed and no other way.

I was the 9th voter in Havelock, Iowa, this morning. As I was being handed my ballot, poll worker Gary Zhorne said that the touchscreen voting machine was not working. “We turned it on but nothing happens,” he said, or words to that effect.

Gary also worked the June primary (when it was working), so he is not new at this. My precinct has both a paper ballot scanning system and the touchscreen machine to serve handicapped voters.

The poll workers also asked for my driver’s license despite knowing me personally. All three of them know me personally. I refused to show it. They tried to find their written instructions on the matter but gave up and let me vote.

Here is the law

3. A precinct election official shall require any person whose name does not appear on the election register as an active voter to show identification. Specific documents which are acceptable forms of identification shall be prescribed by the state commissioner.
A precinct election official may require of the voter unknown to the official, identification upon which the voter’s signature or mark appears. If identification is established to the satisfaction of the precinct election officials, the person may then be allowed to vote.

emphasis added. That’s code 49.77 (3)

But I am an active voter, and they do know me. Nothing is required but my signature.

In the last few days we have learned how to vote twice (or more than twice) on two different models of voting machines. And Whaddya know! One of them is the dominant machine in Iowa, the Diebold paper ballot scanner.

These two news items pretty much demolish what’s left of the credibility of the new voting gadgets. We now know that anything is possible with them–anything from fraudulant programming that could corrupt many machines to easily understood one-person ballot box stuffing.

Take the Sequoia touchscreen (which is not used in Iowa). Turns out there is a yellow button on the back that can put the machine at the mercy of the user, allowing multiple votes to be cast once the button is pushed. The details are on the internet.

Or take the popular scanner used at my precinct in Havelock, Iowa. Researchers at the University of Connecticut have described a way to cast the same ballot several times. They used two sticky Post-It Notes attached one the other. Then both are stuck to the tail end of the ballot, which thus gets a tail about 5″ long. You can see a photo on page 12 of the Connecticut report.

When the ballot is fed into the scanner it is tallied immediately. But it can’t drop into the ballot box if the voter holds on to its “tail”. By pulling the ballot back out and feeding it in again, another vote is cast.

This ballot box stuffing will work best on that razor close race for soil district commissioner or something else that is on the ballot in your precinct alone. No point risking sticky notes (or jail time) to boost your man if someone on the other side of the state is doing the same for your man’s opponent.

The Sequoia stuffing works best for someone with very long arms. Or someone who gets to take the machine for a sleepover.

So the story of new voting machines has reached its absurd conclusion, just in time for the election. Anyone still optimistic enough to have faith in them should make his case in the comments.

Register reporter Jennifer Jacobs has written a primer on Iowa’s voting machines and why they get criticized. She also quotes Charlie Krogmeier telling a whopper:

“We try to be exhaustive in testing the combinations of votes, and if the machines have been programmed to, say, shave off every 10th vote, that should pop up,” he said.

When I went to watch the testing in Pocahontas before the June primary no candidate got ten votes, so they could not detect any vote-shaving as Krogmeier claims. Typically each candidate got one vote to see if it was being read by the machine.

Furthermore they tested the machine in “TEST MODE” but ran it in a different mode on election day.

Besides, any clever programmer wanting to steal an election would be smart enough to hide his theft, as described in the Brennan Center report:

“There are a number of techniques that could be used to ensure that testing does not detect the attack program.

” The attack program could note the time and date on the voting machine’s clock, and only trigger when the time and date are consistent with an election. This method could, by itself, prevent detection during vendor testing, Logic and Accuracy Testing and Acceptance Testing, but not during Parallel Testing.

” The attack program could observe behavior that is consistent with a test (as opposed to actual voter behavior). For example, if Logic and Accuracy Testing is known never to take more than four hours, the attack program could wait until the seventh hour to trigger. (Note that the attack becomes more difficult if the protocol for testing varies from election to election).

” The attack program could activate only when it receives some communication from the attacker or her confederates. For example, some specific pattern of interaction between the voter or election official and the voting machine may be used to trigger the attack behavior. This is often called a “Cryptic Knock.”

Thanks to Sean for finding that quote.

The Register also editorializes on the subject. I’ll go along with many of their conclusions, since this is Iowa after all. Especially I like the point about decentralized election administration.

They make one error, however. The counting is NOT done by local auditors. It is done by the voting machine software, which no auditor is allowed to inspect. Elections are not as decentralized as we like to think.