Yesterday, Harmony Tapper put together an excellent post on the state of voter roll security, highlighting the fact that very little attention has been paid to the security of the systems that are responsible for registering voters and the systems that are responsible for storing voter registration.
I’ll let Harmony’s post stand on it’s own (even though I did briefly address it on a segment I did for NewsDesk this morning), but I feel compelled to write on the topic of voting machine security, particularly since I see so many ostensibly credible sources of journalism speaking to the topic today.
In fact, this morning I had an email in my inbox from a concerned voter after reading a post he found on Yahoo! News entitled: Voting Machines: Why we’ll never trust them.
In the post, the editorialist (a left wing blogger who’s worked for The New York Times, Harpers, New Yorker, and Slate) presented a great deal of FUD, but no facts, surrounding voting machines nation-wide. She admits being mystified by her phone, but doesn’t let her lack of technical mastery prevent her from spreading what she admits are unverifiable rumors of security questions around voting machines.
And machines—in the age of pocket telephones so cerebral that “smart” seems to understate it—have become like valets to gentlemen in the 17th century. They’re indispensable, entrusted with our deepest secrets and profoundly suspicious, all at once.
No wonder, then, that Democrats, too, fear the devious machinations of voting machines. A rumor has persisted throughout the election season in blogs like Truth-out.org and the e-book “Will the GOP Steal America’s 2012 Election?” that the Romney family doesn’t just meddle with voting machines in Ohio. It owns them.
There is no evidence that this is true. But if you’re inclined to pull the thread of this ominous charge—which means revisiting the elections of 2000 and 2004, and immersing yourself in the relationship of Ohio’s former Secretary of State, Diebold software, a mysterious plane crash, Karl Rove and the Bush family—by all means, go Oliver Stone on it.
Similarly, Mashable published a piece of technology reporting this morning so bad that it’s embarrassing for me to admit I once worked there. In it, “veteran journalist” Chris Taylor posits that the Ohio Secretary of State John Husted commissioned a patch to vote tabulation machines that allows him to re-write it how he sees fit.
Late last week, a leaked work order revealed that John Husted, Ohio’s secretary of state, had installed something called EXP on central tabulation machines in 39 of Ohio’s 88 counties. EXP is either an “experimental software patch”, according to the company’s work request to ES&S, or, as the Secretary of State’s office has called it, a “reporting tool”.
Unfortunately (for Chris), the facts as he report them are demonstrably false. The “leaked work order” doesn’t call it an experimental software patch, but a “reporting tool.” That terminology isn’t just the defense of the SoS, but the actual purpose of the software.
But let’s set aside this for a moment – the attack vector they’re suggesting in the Mashable post makes exactly as much sense as the attack vector that was suggested in 2004 in Ohio, which I roundly debunked here on my personal blog then.
In 2004, I did a lot of work on a daily basis with Access databases, which was the Microsoft database format in use with all the Diebold machines, which the post you link to cites as part of the "votehacking conspiracy."
There are two things at stake, as I’m reminded by familiarizing myself with the details… there are allegations and acknowledgements of programming errors (which happen a lot), and then there are allegations of conspiracy. I don’t deny that there are problems with the machines – but is there a conspiracy? I seriously doubt conspiracy is possible on a grand scale.
From a post I wrote in 2004:
"…the source code to the Diebold voting machines was supposedly leaked last year some time, and there were security flaws found in that. If you search for “rob-georgia.zip” on a file-sharing network or on Google, you’ll find both reference to it, and if you’re lucky, the actual source code."
"The truth is, however, no matter if you are able to change votes in a password protected Access database or not (a task a script kiddy could handle), you still have the problem of file dates to content with, which are written by the local machine, not the uploading machine. And if the modems were plugged into the phone lines on the Diebold voting machines, as Bev often suggests that they are, and then the Access files were then uploaded after the voting period ended, the file dates would show a time that was inconsistent with what it should show as when the last vote was cast. Is that clear? Let me make it a bit clearer as I think I might be making it confusing… "
"Let’s say from 9 am-5 pm is the voting period when votes are actively being taken in. File dates contain both the date of the file as well as a time stamp. Now let’s say that everything went all kosher, and no fraud took place. The date stamp on the Access database would be the time when the last vote was cast (in this utopian scenario, let’s say it was 5:00 on the dot)."
"In the fraudulent situation, there are two scenarios. A.) the fraudulent database file was placed on the hard drive before or during the election process, and a batch file was hidden on the system to at the end of the day copy the file over the real database (this eventuality is very unlikely) or B.) the fraudulent database file was uploaded after all voting took place, overwriting the existing database. "
"In both cases, the polling station would show what should be an invalid date stamp. No date stamp should read that polling ended at 11am,for instance, nor should it read that the last vote was cast at 6:30 pm, in this scenario. "
"There then arise a couple eventualities given this data: A.) the system was programmed to be fraudulent, and this programming was either endorsed by or ignored by the bulk of the 13,000 Diebold employees or B.) All the election observers and poll workers in all counties don’t pay attention to date stamps on the votes. "
At the end of the day, there are a handful of activist journalists who continue to flog this theory of systemic, high level corruption where dollars and shadowy capitalistic tycoons are influencing elections with their investments and legions of paid hackers.
While cyberwarfare is a thing, and security vulnerabilities are a real threat to all manner of systems, governmental and private, the most vulnerable part of the election process isn’t the voting machine, and thus focusing on the security of electronic voting is a major distraction from real threats to the democratic process.