By Lambert Strether of Corrente.
Readers will recall that H.R. 1, the Democrat’s flagship bill for the 116th Congress, gestures in the direction of paper ballots, but in fact allows ballot marking devices that rely on OCRs for the count and emit paper receipts for voters (often called ballots for marketing purposes, falsely, since the actual count is performed in the internals of the device). I am sure I do not need to remind readers that hand-marked paper ballots, hand-counted in public are the international standard for elections; and that they are used in the Canada, the UK, Germany, and many other countries. The United States, as in so many other ways, is
exceptional aberrational in that it has managed to commit itself to systems that are both more expensive and much more dysfunctional MR SUBLIMINAL For whom? than those used in the rest of the world). In other words, the Democrats, with HR1, have lent their official support to a horrid industry that enables election fraud, an industry that has acted with intent to corrupt state and local officials to win its contracts. In this post, I’ll define “ballot marking devices” (BMDs), explain generic problems with the architecture of all BMDs, and finally look at the entertaining forms of corruption that preceded the choice of BMDs in Pennsylvania and Georgia.
“Ballot Marking Devices” Defined
Jennifer Cohn at Bradblog explains:
A Ballot Marking Device (“BMD”) is a touchscreen computer that generates a computer-marked paper ballot or printout, which is then tallied on a computerized optical scanner. (Those computer-marked ballots can also, in theory, be counted by hand, but generally are not, as most election officials rely on optical scanners instead.)
[BMDs] introduce a second unnecessary and insecure computer system in the polling place above and beyond already insecure optical scanners, creating twice as many opportunities for electronic programming errors, paper jams, and hacking. For example, some BMD systems have already had problems with:
- Vote flipping (when election integrity advocate and journalist Brad Friedman used such a device in Los Angeles in a 2008 election, the device flipped 4 out of 12 of his selections on the computer-marked paper ballot);
- Inability to display all candidates on one screen (a problem reported by the state of Maryland, which had acquired such systems for all voters, but changed its mind even though the screen problem was eventually fixed); and
- Vendor breach of certification requirements (as occurred with vendor Election Systems & Software, “ES&S”, the nation’s largest voting system vendor).
Meanwhile, two of the most popular BMD’s — the ES&S ExpressVote and the Dominion ImageCast — produce bar-coded (or QR-coded) printouts, which cannot be read by human beings, in lieu of traditional, hand-marked paper ballots.
What could go wrong? Meanwhile — it may help to think of BMDs, and indeed electronic voting machines generally, as a very early version of the Internet of Things — there’s no reason to thing that electronic voting machine vendors will fix their software, or have any inclination to do so. Wired:
Many of the machines participants analyzed during the [DefCon security conference’s Voting Village event] run software written in the early 2000s, or even the 1990s. Some vulnerabilities detailed in the report were disclosed years ago and still haven’t been resolved. In particular, one ballot counter made by Election Systems & Software, the Model 650, has a flaw in its update architecture first documented in 2007 that persists. Voting Village participants also found a network vulnerability in the same device—which 26 states and the District of Columbia all currently use. ES&S stopped manufacturing the Model 650 in 2008, and notes that “the base-level security protections on the M650 are not as advanced as the security protections that exist on the voting machines ES&S manufactures today.” The company still sells the decade-old device, though
“We didn’t discover a lot of new vulnerabilities,” says Matt Blaze, a computer science professor at the University of Pennsylvania and one of the organizers of the Voting Village, who has been analyzing voting machine security for more than 10 years. “What we discovered was vulnerabilities that we know about are easy to find, easy to reengineer, and have not been fixed over the course of more than a decade of knowing about them. And to me that is both the unsurprising and terribly disturbing lesson that came out of the Voting Village.”
Many of the weaknesses Voting Village participants found were frustratingly basic, underscoring the need for a reckoning with manufacturers. One device, the “ExpressPoll-5000,” has root password of “password.” The administrator password is “pasta.”.
A root password of “password.” This is security somewhat below the security you get with the router you get from Best Buy. And we’re only running elections on it! But what if the software engineering was perfect?
Architectural Probems with Ballot Marking Devices
Software engineering can never be shown to be perfect. As computing science pioneer Edgers Dijkstra famously said: “Program testing can be used to show the presence of bugs, but never to show their absence!” (True for any firm, not just firms that use “password” for the root password!) Since the presence of bugs is one precusor to election fraud via hacking (the other being social engineering), it follows that ballot marking devices create a phishing equilibrium, best summarized as the idea that if fraud is possible in a system, it has already occurred and will occur again. Of course, that’s true for all systems, in general (see North Carolina’s problems with ballot harvesting), but one would think, would one not, that election officials in a functioning democracy would try to level-set the equilibrium to minimize the chances of fraud, not maximize them. No such luck. Politico, of the barcode BMDs both George and Philadelphia are about to purchase. “State election officials opt for 2020 voting machines vulnerable to hacking“:
The dispute over the ballot-marking devices centers on the fact that they use barcodes, which can be read by scanners but not by humans. Though the paper records also display a voter’s choices in plain text, which the voter can double-check, the barcode is the part that gets tallied.
The danger: Hackers who infiltrate a ballot-marking device could modify the barcode so its vote data differs from what’s in the printed text. If this happened, a voter would have no way of spotting it.
In a landmark report published last year, the National Academies recommended against voting devices that tally barcodes. “Electronic voting systems that do not produce a human-readable paper ballot of record raise security and verifiability concerns,” it said. “Additional research on ballots produced by BMDs will be necessary to understand the effectiveness of such ballots.”
But the issue isn’t simply barcodes; the issue is that wherever software infiltrates the voting “supply chain,” a phishing equilibrium exists. Dolly back from the electronic voting machine proper to the entire digital system that grows up around it. Jenny Cohn in the New York Review of Books:
The memory cards or USB sticks used to transfer the pre-election programming from the election management system to the voting machines, scanners, and ballot-marking devices constitute another potential attack vector. In theory, the person who distributes those cards or USB sticks to the precincts could swap them out for cards containing a vote-flipping program.
Memory cards are also used in the reverse direction—to transfer precinct tallies from the voting machines and scanners to the election management system’s central tabulator, which aggregates those tallies. Problems can occur during this process, too. During the 2000 presidential election between George W. Bush and Al Gore, for example, a Global/Diebold machine in Volusia County, Florida, subtracted 16,000 Gore votes, while adding votes to a third-party candidate. The “Volusia error,” which caused CBS news to call the race prematurely for Bush, was attributed to a faulty memory card, although election logs referenced a second “phantom” card as well.
Holy moley, the integrity of our election system depends on USB sticks. That’s peak phishing equilibrium! I mean, your firm’s IT department has absolutely no problem with you sticking a random USB stick into your PC, right? (“Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code.” ZOMG.) Paper ballots, needless to say, don’t require “pre-election programming,” except possibly in the form of a three-ring binder, for which the phishing equilibrium is very low.
Corruption in States that Chose Ballot Marking Devices
So why on earth would any responsible election official choose BMDs over paper ballots? Well, we don’t have a smoking gun (no prosecutions) but we certainly have situations that give off the stench familiar from other cases of corruption. Entertainingly, the techniques of corruption differ by jurisdiction, which I suppose is a blessing of our wonderful Federal system. First, Pennsylvania.
Pennsylvania is one of 13 states where some or all voters use machines that store votes electronically without printed ballots or another paper-based backup that allows a voter to double-check how their vote was recorded.
Better than 4 in 5 Pennsylvania voters use electronic voting machines that lack an auditable paper trail, according to election security analysts.
As a result:
Replacing voting machines ahead of 2020’s presidential election has been a priority for [Governor Tom] Wolf, and he is proposing $15 million a year for five years — $75 million total — to help counties pay for machines that leave a voter-marked paper trail, machines viewed as more secure and auditable.
(Of course, “more” “secure and auditable” does not mean “secure and auditable”; see above.
So, given this vital task, how did the vendor selection process go? From the Delco Times:
Pennsylvania’s elected auditor said Friday that officials in 18 of the state’s 67 counties reported accepting gifts, meals or trips from firms competing to sell or lease new voting machines ahead of the 2020 elections.
Auditor General Eugene DePasquale said accepting the gifts is wrong, even though it’s a legal practice and officials may have taken no action in return.
“Anyone who took them, period, could be swayed by the perks,” he said. Public officials, he said, should not “accept this nonsense.”
The gifts included expense-paid travel to destinations including Las Vegas, tickets to a wine festival and private distillery tour, dinners at high-end restaurants, tickets to an amusement park and an open bar at a conference for elections officials, DePasquale said. A promotional folding chair, doughnuts and candy, were among other gifts.
That’s what you call “the appearance of corruption,” right there. Of course, it’s penny ante stuff, for a penny ante $75 million contract, which I guess might not be penny ante if you were a penny ante firm whose engineers used “password” for the root password.
In Georgia, the vendors didn’t go the perks route; they went the crony route. From the Atlanta Journal-Constitution:
When Gov. Brian Kemp hired an election company’s lobbyist this month, the move raised alarm bells about one company’s influence on Georgia’s upcoming purchase of a new statewide voting system.
Concerns from government accountability advocates only grew days later, when a commission created by Kemp recommended that the state buy the type of voting machines sold by the lobbyist’s company, Election Systems & Software. Several other vendors also offer similar voting machines.
But it gets better. It’s not just one hire; the voting machine vendor infested the entire state government:
The latest moves fueled suspicions that cozy connections between lobbyists, Kemp and other elected officials will lead to ES&S winning a rich contract to sell its computerized voting products to the state government.
Kemp and Georgia election officials have supported ES&S for about 10 years:
- The ES&S lobbyist, former state Rep. Chuck Harper, now serves as Kemp’s deputy chief of staff. Prior to lobbying for ES&S, Harper was a lobbyist for the Georgia Secretary of State’s Office under Kemp from 2012 to 2017.
- Kemp’s new executive counsel, David Dove, was a member of ES&S’ advisory board when he attended a Las Vegas conference hosted by the company in March 2017. Dove served as Kemp’s chief of staff when he was secretary of state.
- Kemp chose ES&S’ voting system for a test run during a Conyers election in November 2017.
ES&S is Georgia’s current election company, responsible for providing technical support and repairs of the state’s 27,000 direct-recording electronic voting machines, which the state originally purchased for $54 million from Diebold Election Systems in 2002.
Everything really is like CalPERS, isn’t it?
See what HR1 enabled? The electronic voting industry shouldn’t even exist. Why does it? And how did it get itself written into HR1?