Category: Electronic Vulnerability

Electronic Medical Records vs. Electronic Voting

“There are many wrong ways to make this transition. If history is any indicator, unless a concerted effort is made to require proper protection, the new medical systems will be no better than the insecure voting machines that many states have purchased.”

CTVotersCount has addressed the reasons why our trust in ATM’s cannot be translated into trusting electronic voting <read>.  We have also compared evoting to supermaket scanning, gambling machines, and eletric meters.

In a recent blog post Avi Rubin compares the security risks of electronic medical records vs. electronic voting: A vote in favor of electronic medical records (with caution) <read>

We should be concerned:

amid this rush toward new technology, some doctors and several organizations such as Patient Privacy Rights have raised a yellow flag of caution. In this age of Internet hackers and lost laptops, just how secure, they ask, will these computerized medical records be? After all, it’s a lot easier for someone to waltz out of a hospital with a USB stick in their pocket containing 5,000 patient records, than with many boxes containing the equivalent paper records. Moving electronic records online can make them particularly vulnerable.

To some extent, these fears are justified.

But there is a difference.  The challenges and risks of electronic voting and electronic medical records are different:

Yet what is true for voting systems is not necessarily true for electronic medical records. The adversarial model in these two applications is completely different. In a voting system, all parties should be viewed as adversarial. Everyone has a stake in the outcome, and there is no reason to believe every software developer, election official, poll worker or voter will refrain from tampering with the process. That doesn’t mean these people are malicious. It just means that we need voting systems that can be trusted, even when the people associated with the process are corrupt.

Contrast that with the medical records scenario. Computerized system designers and builders have every reason to want their technology to be secure, and little or no incentive to undercut this. Vendors will sell more systems if their technology is highly secure. Hospital administrators will seek the safest systems to protect patient privacy and keep their institutions off the front pages and out of the courtroom. For patients, the benefits are obvious.

There are many benefits yet the history of government programs such as the Help America Vote Act provide instructive cautions.  We are concerned that money will be thrown at untested software, hardware, and procedures under the cover of a jobs stimulus program, yet provide few U.S. jobs and large profits.  We need to look and evaluate cautiously before we leap.  As Prof. Rubin says:

Still, we need to be careful. There are many wrong ways to make this transition. If history is any indicator, unless a concerted effort is made to require proper protection, the new medical systems will be no better than the insecure voting machines that many states have purchased. When money flows from Washington, vendors tend to spring up out of nowhere. The ones who gain traction are the ones with the best sales teams, the glossiest brochures and the best connections, but not necessarily the most secure systems. This has happened over and over again in every industry.

We need to make sure that security standards, including evaluation and testing procedures, are established before the billions are spent. Computer security experts in academia, government and industry should all be engaged to establish criteria and evaluation methodologies. We need support from all of the relevant stakeholders, including privacy advocates, the medical establishment, vendors and the technical security community.

Prof. Rubin’s conclusion:

We are facing a golden opportunity to improve the lives of millions of Americans by providing computerized storage and access for medical records. We can reduce or eliminate redundancy, waste, unnecessary exams and procedures, and medical errors. And, we can do it without inordinate risks to individual privacy. Nevertheless, while electronic records appear to be our destiny, the privacy of those records will only be preserved if we are careful and do this right. There will be no second chances.

We would go further outlining the necessary cautionw.  In addition to “the privacy of those records will only be preserved if we are careful and do this right.”  We  can also only “reduce or eliminate redundancy, waste, unnecessary exams and procedures, and medical errors”  if we are “careful and do this right”,  evaluating the total system.  We must be careful that the system actually reduces medical errors.  We could have a system that is costly, insecure, useless, and perhaps deadly.  Yet, with caution and care we could have a system that is efficient, effective, secure, and life enhancing.

This is out of CTVotersCount’s realm to take a position.  Perhaps nobody should be for or against a national program for electronic medial records.  Instead either “conditionally for” the concept, yet witholding complete endorsement awaiting a comprehensive, thorougly evaluated plan.  Or “conditionally against”, skeptical of past rushed plans, yet open to the possiblity of an effective plan being proposed.  In any case, there are significant analogies between electrion medical records and electronic voting, yet also critical differences.

Another Take On ATM’s vs. Voting Machines

Security firm Sophos reported this week that it received three samples of a trojan that was customized to run on Diebold-manufactured cash machines in Russia…

CTVotersCount.org Myth #8 – If we can trust our money to ATMs we can trust our votes to computers. <10 myths> <also>

Perhaps ATM’s are not as safe as we sometimes think.

Today a story shows that ATM’s are vulnerable.  SCMagazineUS has the story: ATM malware appears, Diebold issues security update <read>

Security firm Sophos reported this week that it received three samples of a trojan that was customized to run on Diebold-manufactured cash machines in Russia, said Graham Cluley, Sophos’ senior security consultant. The malware was able to read card numbers and PINs — then when the attacker returned to the ATM, he inserted a specially crafted card that told the machine to issue him a receipt containing the stolen information.

“Basically [the malware] would be spewing out the identity information,” Cluley told SCMagazineUS.com on Wednesday. “It’s a really cunning scheme. You need to know how to talk to the ATM. It was working with the Diebold DLL (dynamic-linked library). It knew what API (application programming interface) calls to make, which is information, I suspect, not normally in the public domain.”

Diebold this week disclosed that it issued a security update in January for its ATMs running a Windows-based operating system to address the problem. Diebold told its customers in a letter that a number of its machines in Russia were infected — but the company did not reveal specifics on the attacks.

The somewhat comforting part of this story is that Diebold issued a fix in short order for the problem – while problems in their voting machines go unaddressed for years through multiple software versions.

However, it is a reminder of the vulnerability of any computer system to which somone gains access, including voting systems.

Diebold Audit Logs Miss Critical Data

“Today’s hearing confirmed one of my worst fears,” said Kim Alexander, founder and president of the non-profit California Voter Foundation. “The audit logs have been the top selling point for vendors hawking paperless voting systems. They and the jurisdictions that have used paperless voting machines have repeatedly pointed to the audit logs as the primary security mechanism and ‘fail-safe’ for any glitch that might occur on machines. To discover that the fail-safe itself is unreliable eliminates one of the key selling points for electronic voting security.”

In Connecticut we avoid these specific problems. But we don’t avoid similar problems.

Kim Zetter at wired has on of several reports on hearings in California <read>

Summary:  “The Humboldt Election Transparency Project” discoverd 179 missing ballots in the original election accounting.  One memory card total was dropped in accumulating votes after the election.  Subsequent investigations found that there was a known (to some) problem in the code that could cause that to happen, yet, no record of the event was in the audit logs and the audit logs could be easily deleted.   Yesterday the Secretary of State held hearings as reported by  Kim Zetter:

“Today’s hearing confirmed one of my worst fears,” said Kim Alexander, founder and president of the non-profit California Voter Foundation. “The audit logs have been the top selling point for vendors hawking paperless voting systems. They and the jurisdictions that have used paperless voting machines have repeatedly pointed to the audit logs as the primary security mechanism and ‘fail-safe’ for any glitch that might occur on machines. To discover that the fail-safe itself is unreliable eliminates one of the key selling points for electronic voting security.”

Following a public records request of GEMS logs, Threat Level previously reported that the Premier/Diebold logs did not indicate when election officials in Humboldt County, California, intentionally deleted more than two dozen batches of ballots from their system during the November general election.

The finding raised questions about the integrity of elections conducted with the system, but it was unknown at the time whether the problem with the audit log existed with other versions of the GEMS software used in other counties in California and across the country. Premier/Diebold didn’t respond to phone calls seeking information at the time.

In Connecticut we avoid these specific problems as we do not use the GEMS system for election totaling votes from memory cards.  (Our vendor, LHS uses GEMS for programming the memory cards for each of our elections).  But we don’t avoid similar problems, Connecticut uses an error prone three step process of manual transcription to produce our vote totals – for the November 2008 election this system dropped and added even more votes than the number of ballots dropped in California: e.g. <here> <here> <here> <here>

********
Update 3/25:  Diebold tries to cut off Humbolt, Are the sending a message “Don’t Tread on Dieblod?”

Here is the Daily Voting News Summary which is good summary of what we have so far <read>

Yes Virginia! – No Ballots, No Problems – Trust The Memory

Close election in Fairfax County decided by reading computer memory.

Maybe it is all mostly accurate. But, without a voter verified paper record who knows? Maybe there is a lesson in here for us. Unfortunately, there is also a lesson here for those looking for ways to game the system in the future.

A close election in Virginia with electronic touch screen voting.  They have optical scanners, but they saved some paper and used their expensive touch screen machines.  One machine made an obvious error so they counted the votes in the memory log on the two machines in that precinct and declared the records in memory accurate.  Yet what about all the other machines that counted 89 votes more for one candidate out of 12,000 cast?

Stories in the Washington Post,  BradBlog and LocalTV

According to Brad and the WaPo:

the geniuses who run Fairfax County’s election decided to use only touch-screen systems in the election yesterday, despite having used both paper ballots and touch-screens in last November’s election. The WINVote “is the most widely used touch-screen voting machine in Virginia,” according to the Washington Post story in which explanations are given for why the Republican “narrowly defeated” the Democrat by 89 votes.

Officials are “not yet sure what caused the device to malfunction.”

WaPo’s earlier story — when the Republican John Cook was said to have been leading the entirely-unverifiable election by 69 votes, before the wholly-unverified and unverifiable “votes” from the failed machine were printed out, one-by-one, and then tallied by officials from the machines memory — notes that the race came down to the votes cast in the single precinct where the machine failed.

Brad had the same reaction that I did to a quote in the local TV story:

Voters are mixed. “I think the electronic equipment these days is pretty good,” said Fairfax County resident Julie Stewart. “But paper would be fine if they’ve got a lot of money and they want to spend the time doing it,” said Fairfax County resident Richard Carlson.

…Dear Richard: Paper elections are cheaper, more accurate, and take no more “time” to tally than touch-screen elections. And at the end of the day, it’s possible to know who actually won them.

Maybe it is all mostly accurate.  We have no reason to assume the result is inaccurate.  But, without a voter verified paper record who knows?  Maybe there is a lesson in here for us.  Unfortunately, there is also a lesson here for those looking for ways to game the system in the future.

Or Could We Have Been Even Better Off With Levers?

I read HAVA. It clearly does not ban levers. I recently discovered what has helped fuel this misinformed opinion in part: it is the discredited position of the discredited U.S. Election Assistance Commission (EAC)

But there is more to the story.

BradBlog reports that the Election Assistance Commission (EAC) may have been wrong when it issued an advisory indicating that lever machines were banned by the Help America Vote Act (HAVA) <read>

The EAC Lied, Lever Voting Machines (Almost) Died

Exclusive: Discredited federal E-voting oversight commission issued an incorrect 2005 ‘legal advisory’ helping to keep NY on a collision course with democracy
But it’s not too late to save the last transparent electoral system in the United States…

So what is driving New York State to stick with a law that so many in New York believe to be such a bad idea? As a New Yorker who has been talking to many election commissioners, legislators and citizens, I was surprised to learn how many people believe the “Help America Vote Act” (HAVA) actually banned lever machines.

I read HAVA. It clearly does not ban levers. I recently discovered what has helped fuel this misinformed opinion in part: it is the discredited position of the discredited U.S. Election Assistance Commission (EAC), as detailed in a newly-unearthed document prepared for the state of Pennsylvania, at their request, in regard to the legality of lever voting machines.

We remember that Connecticut and New York were “late” in becoming HAVA compliant.  Connecticut rushed to comply almost making the expensive and risky mistake of purchasing uncertified “touch-screen” from Danaher,  with the Secretary of the State, thankfully, changing course to optical scanners.  New York chose defy the feds and stick with levers until a suitable alternative could be found.

But there is more to the story. Here is a quote in the article, not clearly attributed, purporting to describe lever machines:

* For those who don’t know, here’s how lever machines work:
Voter pulls lever for candidate of her choice; gears increment a mechanical counter by one and only one vote — only for the desired candidate. No vote switching or overvoting is possible! (Some machines increment the counters as the big lever is pulled, but unlike software, either method of operation can be observed and thoroughly tested before and after each election and both have been completely disclosed in the machines’ patents.) Rinse and repeat for the entire ballot, which takes less than a minute for most voters. Change or correct your votes as many times as you like – not just three. When you’re done, just pull the big lever that casts the ballot, locks in all your votes, opens the privacy curtain, and repositions the candidate levers for the next voter, leaving the locked immutable mechanical counters as the durable record of all the votes cast on the machine — until after the election is certified. On election night, a permanent paper record of the vote tallies on each machine is produced by the machine, and/or by bi-partisan teams of poll workers, before the machine is moved and the poll workers are permitted to leave.

Not so fast.  Looking at comment #3 below the article, David Jefferson, makes the case against levers:

Without commenting on the rest of this posting let me say that the italic comment at the bottom that describes lever machines somewhat mischaracterizes them.

1) Although it is true that the mechanics of a lever machine are vastly simpler than software, and can be understood by careful observation (if the back of the machine is open) by a mechanically inclined person, it is easy to tamper with the gear mechanism so that it miscounts votes, either by failing to increment one time out of 10 or by failing to carry into the next decimal place. This almost always causing an undercount for particular candidate(s), and not an overcount. If such a problem occurs, it is unlikely to be discovered very quickly, since undercounts never lead to any outright inconsistency with the counts of voters or any other data. And whether the problem is detected or not, there is no possibility of recovery, because there is no redundancy at all, let alone anything you would call an audit trail.

2) The same is true if the machine has been misconfigured (equivalent to having a bad election definition file). There my be no recovery.

3) It is true that you can change your (tentative) vote as many times as you want with lever machines. But you can also do that with DREs. The max number of three spoiled ballots is only a limitation of paper ballots, and then only because of an arguably obtuse law–not for any fundamental reason.

4) The counters are not any more “immutable” than any other volatile memory medium. If I remember correctly, a single key turn allows all counts to be zeroed, with no record of the time the occurred, or who did, it or anything else. Arguably, the paper record of the counts is just as durable as the counts that are stored mechanically.

5) A lever machine does not accumulate a “record of all the votes cast”. It records only counts of the votes cast, which is vastly less information than any other voting system. There is absolutely no redundancy in this information, as there is with all other forms of voting, which is why it is impossible to do a meaningful audit that corresponds in any way to the audits that are possible with paper ballots or VVPAT.

We tend to agree with David Jefferson about the attributes of lever machines.  Yet, given all that we know now – the cost of optical scanners — the risks without sufficient, reliable audits — the stories we have heard from registrars about problems with lever machines covered over in the backrooms in Connecticut — it is a close call.  But with sufficient audits, a stronger chain-of-custody for ballots, and manual recounts we still would favor optical scanners.

Reminder: We’re Better Off With Optical Scanners

OpEd News reminds us that it could have been much worse. A picture is worth a 1000 words!

For those who question the costs of our post-election audits, OpEd News reminds us that it could have been much worse. We could have been stuck with touch screens (DREs) which would have cost much more, are less safe even with a paper trail, and are much harder and more expensive to audit. A picture is worth a 1000 words! <read & view photo>

Also note that the November 2008 audit cost Connecticut about $0.06 per ballot cast.  That is a small price to pay when a typical high-turn-out election in Connecticut costs towns in the range of $5.00-$10.00 per ballot cast.   My polling place is a mile and a half away, so it costs me close to $1.00 round trip just to drive to vote.

A look back:  Hartford Courant Editorial, December 7, 2006:  A TrueVote Vindication, Connecticut owes TrueVote CT a debt of gratitude. <read>

What Can Science Do For Us? – Nothing Unless We Pay Attention

This, from Ash’s perspective, represents the crux of the problem. We have sophisticated statistical tools that we rely on for everything from medical research to verifying the flow of money through Las Vegas casinos but we simply haven’t chosen to mandate that they be used to verify election results. Even in cases like the elections in Sarasota, where they were deployed, the results were deemed legally irrelevant unless they provide an indication that election results were distorted by malice or intent. Sloppiness or incompetence, apparently, is acceptable, despite our country’s promise to respect the intent of the voters.

American Association for the Advancement of Science meeting, “”Science for Public Confidence in Election Fairness and Accuracy”  <read> statements by Ed Feltion and Arlene Ash.

it’s mathematically impossible to verify that the code they run will behave properly under all circumstances, which means that the best we can do is provide a verifiable and auditable record of the vote, allowing problems to be identified retrospectively. Even that’s difficult to reconcile with our expectations for anonymity; in describing the challenge of creating an algorithm that simultaneously encrypts and anonymizes the votes, Felten said, “we’ve reduced this to a previously unsolved problem—we’re really good at that in computer science.”

Until that problem is solved, many states are opting for optical scan voting or printing voter verifiable receipts, which can allow a post-election audit to identify significant problems. But running these audits raises a whole new series of issues, some of which are less a technical challenge than a matter of how carefully we want to listen to what an rigorous analysis of a vote tells us…

This, from Ash’s perspective, represents the crux of the problem. We have sophisticated statistical tools that we rely on for everything from medical research to verifying the flow of money through Las Vegas casinos but we simply haven’t chosen to mandate that they be used to verify election results. Even in cases like the elections in Sarasota, where they were deployed, the results were deemed legally irrelevant unless they provide an indication that election results were distorted by malice or intent. Sloppiness or incompetence, apparently, is acceptable, despite our country’s promise to respect the intent of the voters.

Answer Quick: What Do Premier/Diebold and Wal-Mart Have In Common?

Hint: It is not low prices for computer memory cards.

The Raw Story has the story <read>

To convince Utah decision-makers that Premier was a big company with a substantial presence, Kathy Dopp, founder of UtahCountVotes.org, reported that a company representative told the decision-makers in 2006 that Diebold “has about 20 offices in Utah.” When pressed further, the representative refused to give the locations of any of the offices. In fact, the White Pages lists 18 Diebold offices.

However, when calls were made to all of these offices, only one picked up the phone. And when the addresses of offices listed under Diebold in the White Pages were visited, the addresses turned out to belong to either a Wal-Mart, a Sam’s Club, or no building at all. In the end, 16 of the 18 Diebold offices in Utah listed in the White Pages were false listings…

A quick investigation by Bob Fertik on Democrats.com revealed that a similar scam existed in New York, with another Diebold listing in Buffalo turning out to be a Wal-Mart. Out of 13 listings in Florida, 5 turned out to be Wal-Marts. Similar office listings have been uncovered in Alabama, Mississippi, and New Hampshire.

CA: Bowen Considers Decertifying Premier/Diebold GEMS

CA, Secretary of State Deborah Bowen is considering decertifying the GEMS system. But it’s complex and unclear exactly what decertificaiton would mean. This is another case of being caught between the Glitches and the Gotchas, at the mercy of a broken system of certification and an oligarchy providing inadequate products.

Update: John Gideon attempts to get a straight answer from the EAC <email exchange>

**********

Based on the problems discovered in Humboldt, CA, Secretary of State Deborah Bowen is considering decertifying the GEMS system.  But it’s complex and unclear exactly what decertificaiton would mean.  This is another case of being caught between the Glitches and the Gotchas, at the mercy of a broken system of certification and an oligarchy providing inadequate products.

The Eurika Times-Standard has the story <read>

Chris Riggall, a spokesman for Premier Elections Solutions, said in a previous interview with the Times-Standard that the company had known of the programming error since 2004. Saying the certification process is too lengthy and time consuming to have had the software re-certified, Riggall said Premier instead issued “work around” orders by e-mail to its customers instructing them how to take steps to avoid the problem…

The transparency project that discovered the error passes every ballot cast in an election through an optical scanner after it’s been officially counted. The ballot images are then placed online, along with open-source software, created by volunteer Mitch Trachtenberg, that allows viewers to sort the ballots by precinct and scrutinize the vote as they see fit…

But, the possible decertification of the version of GEMS currently used in Santa Barbara and San Luis Obispo is raising some questions there for elections officials, especially with the state calling a special election in May. Officials in both counties said they are still looking into how they would proceed if the approval of their voting systems were to be withdrawn.

Meanwhile, some in the election watchdog community are pushing for either the Secretary of State’s Office or the federal Elections Assistance Commission to pursue punitive actions against Premier, which they say knowingly kept elections systems in place that had unacceptable error rates.

Riggall said Premier has done nothing disingenuous, and notified its customers immediately upon discovering the error in its vote counting system, carefully instructing them how to “work around” the problem.

”I don’t see that there is anything — absolutely nothing — in how we have handled this issue going back several years that has been disingenuous,” Riggall said.

Meanwhile, in Connecticut we don’t use this particular function of the GEMS system to accumulate election results.  We use GEMS for a different, unrelated function.  We have our vendor, LHS Associates us GEMS to program our elections.  We use an error prone three step system of manual transcription and addition to accomplish the accumulation of vote totals which also can and has been prone to errors.

Another Audit – Another Diebold Error

Ohio is conducting its first post-election audits. Like the recent audits in Humboldt, CA, and CT, the Ohio audit has uncovered discrepancies in the machine and manual counts. Here is one of the stories, by Kim Zetter at Wired <read> Montgomery County officials discovered that although the five votes were recorded to a memory card … Continue reading “Another Audit – Another Diebold Error”

Ohio is conducting its first post-election audits. Like the recent audits in Humboldt, CA, and CT, the Ohio audit has uncovered discrepancies in the machine and manual counts. Here is one of the stories, by Kim Zetter at Wired <read>

Montgomery County officials discovered that although the five votes were recorded to a memory card inside the voting machine, the votes weren’t counted by the tabulation software when the memory card was uploaded to the tabulation server. Premier’s Global Election Management System (or GEMS) is the tabulation software that counts votes from memory cards.

We also note the excellent comments of John Gideon of VotersUnite <read>

What does Diebold/Premier have to say? “We have not seen this particular condition anywhere else in Ohio or anywhere else in the country,” according to spokesman Chris Riggall. Clearly Riggall is joking. Of course they haven’t seen this condition in Ohio because Ohio has not done these audits in the past and the lack of audits across most of the rest of the country would ensure that no problems would have been found in the past. Where there are audits that may have found this condition, the condition is ignored or just shrugged-off. What they ignore is that there is federal law that dictates accuracy of voting systems and even the loss of these 5 ballots in a county that saw over 280,000 ballots cast is a violation of that law


What does this Diebold error mean for Connecticut?
Continue reading “Another Audit – Another Diebold Error”