Last week's New Hampshire primary raised questions about the veracity of tallies from electronic voting machines -- not the DRE (direct-recording electronic) touch-screen machines that have drawn heavy criticism around the country, but the optical scanners designed to record votes cast on paper ballots.
In Ohio, where numerous problems with the 2004 election process drew fire from observers around the nation, current Secretary of State Jennifer Brunner recently unveiled a federally funded report. The "Evaluation & Validation of Election-Related Equipment, Standards & Testing" (EVEREST) report describes problems so endemic that the system's integrity is provided purely by the integrity and honesty of election officials.
Based on the EVEREST report, Brunner made a number of recommendations to Governor Ted Strickland and Ohio legislators, including elimination of DREs, a move to centralized ballot counting, institution of "no-fault" absentee voting, and development of new early and election-day voting centers.
In a recent interview with e-voting activist Brad Friedman, Brunner detailed various findings of that report, explaining the parallel evaluation paths that arrived at similar conclusions. She also describes the results -- including weaknesses with optical scan units that could have bearing on their use elsewhere. We've excerpted portions of that interview for Computerworld.
On planning the testing process
Brunner: We conducted parallel independent testing; we used not only academic researchers, but [also] corporate scientists. They did the same type of security testing, in what we would call a parallel independent method.
I looked at the spectrum of people who were interested in these issues, starting from the voting activists, moving onward to the voters who've been more concerned about what their election experiences and the integrity of the system, and then onward to Board of Elections officials and voting-machine manufacturers.
I saw that perhaps the academic scientists would have greater credibility with the activists, while the corporate scientists might have greater credibility with the election officials and the manufacturers, and that if we compared the results of the two and they're similar and identical, that actually we will gain the confidence of the public in what our results were.
On the double set of test results
Brunner: They were largely identical. The only difference is that the academic researchers were also performing source-code review on all three systems. [Editors' note: Ohio tested systems from Election Systems & Software Inc. (ES&S), Hart InterCivic Inc. and Premier Election Solutions (formerly known as Diebold Inc.) -- the three manufacturers certified for state voting purposes.] And so there was an additional dimension to the report of the academics.
But the interesting thing is, the corporate scientists -- a company from Columbus called MicroSolve -- looked at this as a computer-based system [using] industry standards for computer security. And the systems that have been certified here in Ohio performed miserably.
On SynTest Labs, the corporate testing partner on EVEREST, which famously in 2006 declared all the voting machines it had tested to be "accurate, reliable and secure"
Brunner: SysTest did not test [on EVEREST] for security. We ended up breaking the task into four different areas: performance, [meaning] general performance of the machines and the systems; configuration management, [meaning] are all the machines configured to the same level according to certification in the state; security; and internal controls and operations. SysTest looked at the other three areas besides security.
SysTest actually accommodated our ability to employ academics to do the research. We were able to bring the academics in as subcontractors to SysTest to meet all the state purchasing requirements that we had, and SysTest actually found a number of problems in the areas that they reviewed.
Some of those problems with policies and procedures are my responsibility as secretary of state to clear up. Some of them are ones that I inherited, such as no kind of documentation of the configuration of these machines, or [ascertaining whether] all their software [is] at the same level. With the performance issues, they found some things that were satisfactory, and they found some things that were unsatisfactory.
Each party proceeded independently -- each researcher, each contractor that worked on the study. The academics worked as a team; the principal investigator or lead researcher was Patrick McDaniel from Penn State.
On current trends in e-voting regulation
Brunner: It's likely that we'll expand our recommendations, because the environment in which we've made those recommendations is changing. For instance, the [federal] Holt bill [HR811] may actually be revived to allow states to opt in for a paper trail now and also for a postelection audit. And the reward would be federal reimbursement for undertaking those procedures or purchasing that equipment.
On centralized vs. precinct-based vote-counting
Brunner: Because of the security risks that were identified by the researchers in the study, ultimately I think [decentralized counting] would be very beneficial, because it's worked in the past. But until the engineering in the system is to the level that it should be to protect the systems against viruses that can be inserted into the system through something as simple as a PDA and a magnet, with the cards passed from machine to machine almost like Typhoid Mary, I think that we have to take greater care.
So we compensate for what we lose in the precinct-based optical scan by [procedures] such as a postelection audit, by ensuring that observers can be there during the counting. Also [we compensate] by placing precinct-based optical scanners in each polling place to allow a voter to insert their ballot, check for overvotes, be able to have that ballot back, make changes and then place it into a ballot box.
What I think is being missed by a lot of these academic folks, who often focus on one particular issue in the election process, is that there is the potential to inject malicious software into a system. I'm talking purely computer security at this point -- but these are computer-based systems. They operate from a server. There is firmware in machines that are in the polling places, they can be tampered with, they can be penetrated. And if there is malicious software, like a virus put into the system, it can not only affect the machines at the polling places, it can [also] affect the tabulation that occurs at the server. And it can also affect future elections if it's not detected, because we go back to the question of risk.
And first of all, we need to know if it's detectable; second of all if it's recoverable -- if it can be recovered from. And I think that they're not grasping the severity of the risk to the system from a purely computer-based standpoint. What our researchers found is that with actions that look much like a person simply voting, risks that would be difficult to detect could be entered into the system. And what I've been working hard to get people to understand is that I'm not proposing a permanent solution. I'm proposing a way to deal with the limitations in the equipment that we have now. It's all that's available to us.
On dangers with optical-scan and DRE systems
Brunner: One of the very startling concerns that was raised for me was the ability --- with the optical scanner that's predominantly used in the polling places in Ohio --- to turn off the memory of the optical scanner. The ballots continue to be scanned, but the memory is not capturing the votes. Still, if you were to take the report and assign the numbers of risks to each component in the system, I think you're going to see that the greatest number of risks are with the DRE systems.
I don't pretend to have all the answers. We took this report of 800 pages, and we synthesized it, we redacted trade secrets and security issues in the report, and we developed recommendations with a group of 12 bipartisan election officials -- in a week. And so we're not done.
On not calling for system decertifications, as California did after their 2007 tests
Brunner: To do so, I would have to work through the Board of Voting Machine Examiners, to which I have appointed the members. But looking at where we are, so close to the March primary, [decertification] would have created chaos.
My biggest goal, in my first year in office, is to restore and ensure voter confidence in Ohio. Looking at the partisan climate that seems to exist in Congress, that seems to exist in some of the folks in the Ohio GOP, the last thing I wanted to do was to set this up as a partisan debate. Because there is not a Republican or a Democratic way to run a fair election. What's fair is fair.
The full interview with Brunner is available at BradBlog.com.