In a follow-up to the Ohio voting machine reports and the dramatic action of Ohio’s Secretary of State, Jennifer Brunner, Brad Friedman interviews her about the report, her critics, and concerns with the solution of central count optical scan. <read>Â
Note: Connecticut does use central count optical scan, only for absentee ballots. Perhaps less of an issue here because we do not have election officials in place who have flagrantly violated election laws. Yet, we would be much more comfortable if the central count optical scanners were included in the post-election audits.
JB: I had been concerned because I saw the reaction that Debra Bowen had in California, that she experienced, but we had the benefit in Ohio of seeing some of the things that she faced in looking at what we could do to prevent some of that. And part of what, I think, helped us was that we conducted parallel independent testing. So we not only used the academic researchers but we used corporate scientists and they did the same type of security testing in what we would call a parallel independent method. So we had additional validation.
The way that I analyzed the situation was that I looked at the spectrum of people who were interested in these issues, started from the voting activists, with the voters more in the center who’ve been more concerned about what their election experience and the integrity of the system, and then to Board of Elections officials and voting machine manufacturers. And understanding that, perhaps, the academic scientists would have greater credibility with the activists, while the corporate scientists might have greater credibility with the election officials and the manufacturers, and that if we compared the results of the two and they’re similar and identical that actually we will gain the confidence of the public in what our results were.
BB: And [those results were] largely identical from both the academic and corporate testers?
JB: They were largely identical. The only difference is that the academic researchers were also performing source code review on all three systems. And so there was, there was an additional dimension to the report of the academics. But the interesting thing is, is that the corporate scientists, which was the company from Columbus called MicroSolve, basically looked at this as a computer-based system — industry standards for computer security — and the systems that we have, that have been certified here in Ohio, performed miserably.
…
BB: And I asked [the critics from Brennan Center and elsewhere] about that yesterday. They had a conference call on some of these issues. And I shared with them, some of your responses. And they said, well, while they understand them, the risks you [refer to] are sort of understandable, if you’re talking to computer scientists, but not to election administrat[ration experts], who understand how it works, and that the risks you take with central-based counting are far outweighed with precinct-based counting because if there is some of the [inappropriate] access and the viruses and so forth that you suggest, it’s far more decentralized.
I did try to hold their feet to the fire on the point that you had made to me. And they said there was still no comparison in [the safety added by] doing precinct-based counting, that most of the chicanery happens when there’s transport of these ballots back to the County. The chain of custody sort of disappears at that point and, as you know, many of the counties — and the bad guys who did some pretty questionable things in ’04 — are still running things in places like Warren County and elsewhere.
Doesn’t that concern you? And their criticism, we’re talking about a lot of well-known election integrity and administration experts, like Larry Norden from Brennan Center, Candice Hoke from CSU and so forth. Are you hearing those complaints about your recommendations?
…
JB: … but let me focus first on the issue of security. What I think is being missed by a lot of these academic folks, who often times focus on one particular issue in the election process, is that there is the potential to inject malicious software into a system — and I’m talking purely computer security at this point — but these are computer-based systems.
hey operate from a server, there is firmware in machines that are in the polling places, they can be tampered with, they can be penetrated, and if there is malicious software, like a virus put into the system, it can not only affect the machines at the polling places, it can affect the tabulation that occurs at the server and it can also affect future elections if it’s not detected, because we go back to the question of risk. And first of all we need to know if it’s detectable, second of all if it’s recoverable, if it can be recovered from. And I think that they’re not grasping the severity of the risk to the system from a purely computer-based standpoint.
BB: Well, some of the folks I have talked to are, you know, computer experts, and I gotta tell you, Jennifer, that I was the one, remember, who gave the Diebold touch-screen system to Princeton for the study that revealed how easy it was to insert a virus on these systems.
And I gotta tell ya, looking at it — and certainly as a ten-year computer programmer myself — I’m really concerned about the transparency that gets lost when we centralize things as opposed to the decentralized counting. So I do hope you’ll continue to talk with them about it, because these folks who I’ve talked to, I believe do understand the computer-related risks that we’re talking about. But [they] understand that there needs to be, that there is mitigation [of those risks], in the more public precinct-based counting.