October 29, 2008
Will My Vote Be Counted? Correctly?
Edward W. Felten
Computer Science and Public Affairs, Princeton
Minutes of the Seventh Meeting of the 67th Year
President George Hansen called the seventh meeting of the 67th year of the Old Guard to order at 10:15 AM for the 110 members and visitors present at the Bowen Hall Auditorium (Room 222). George Folkers led the invocation.
Marcia Bossart read the minutes of the October 15 meeting.
President Hansen introduced the following guests: R. N. Tottenham-Smith, guest of David Dodge; and Alison Lahnston, guest of Claire Jacobus.
Four announcements were made: a reminder that the Snow Day Policy is the same as the Princeton Regional Schools and can be found on the Old Guard Voice Mail Box; the location of the November 5th Old Guard meeting will be held on the third floor of the Frist Center beginning at 10:15 AM; that the November Hospitality hour will be held on November 12th, and start at 9:30 AM at the Friend Center; and that the speaker for November 12th has been changed from Arthur Levine to Prof. John Waterbury who will speak on "Higher Education in the Middle East."
George Hansen introduced the Speaker, Prof. Edward Felton who joined the faculty of Princeton in 1993 and is currently Professor of Computer Science and Public Affairs and the founding Director of Princeton's Center for Information Technology Policy. [Note: The Center hosts a web site "Freedom to Tinker" (http://www.freedom-to-tinker.com) that is widely read for its commentary on information technology law and policy]
The subject of Prof. Felton's talk was electronic voting machines and the timely subject:
"Will my vote be counted? Correctly?"
Prof. Feltman's excellent Power Point presentation started with the Florida Election of 2000, and the nation's response to the first use, and dramatic failure, of new Punch Card Voting Machines where voters record their vote on a paper punch card through a simple stylus device. Unfortunately the punch cards had a count error rate that was considerably larger than the margin by which George Bush won Florida's 25 electoral votes — and the presidency! After this so-called "Florida Debacle" there was a consensus that electronic voting machines could, and would, do better than any paper route. In 2002 the "Help America Vote Act" was passed that had resources of 3.9 billion dollars to encourage development of reliable, and paperless, Direct Recording Electronic (DRE) voting machines for the November 2006 general election. The success of the program led to the entry of many computer firms into the field, but the focus of the talk was the 33,000 Diebold AccuVote-TS voting machines that were in service nation wide, including the states of Maryland and Georgia, for the election of 2006 and 2008!
It was a challenge to computer scientists all over the world to have a fully independent security study of the proprietary Diebold DRE system to validate its broad use. Early research raised questions that could not be answered without access to the Diabold DRE. Prof. Felton answered those questions by his "lawful acquisition" of a Diebold AccuVote-TS unit in May of 2006, and the publication of "The Security Analysis of Diebold AccuVote-TS Voting Machine." by him and his grad students in September of 2006.
The Security Analysis started with the experimental identification of the Windows Software that runs the DRE and its potential disturbance by the Memory Card that stores the votes. Through their detailed experimentation on the Diebold DRE, the Princeton group discovered how to set up a "Malicious Program" on the Memory Card that would count the total number of votes but readjust them in a way to satisfy specifc "party interests," without any visible record of a change in software. An experimental example, demonstrated before a House Committee, and seen on Fox and CNN TV, was a fictitious American Presidential election where George Washington received 5 votes and Benedict Arnold received 0 votes. Through the one minute replacement of the "Diebold Memory Card" by their "Malicious Software Memory Card," George Washington received 2 votes and Benedict Arnold received 3 votes. The message was that it's easy to count the total vote on the Diebold system correctly, but equally easy to assign it incorrectly—without leaving any trace of what was done!
Equally remarkable was the discovery that the only barrier to the injection of a virus —the access door to the Memory Card on the Diebold DRE— had locks that can be opened with a standard key that is widely available on the Internet, or can be "picked in about 10 seconds."
What are the opportunities to substitute a Malicious Code Memory Card in a voting machine that sits on the floor of the Voting Centers on election day. One way is to take advantage of the early delivery of the 180 pound fold-up voting machines, and find them unguarded in vacant school corridors days before election day by simply following the early "Park Here—Go In —Through Here To Vote" signs. This is an easy route to the memory cards that was tested and photographed by Prof. Felton days before the Princeton Super Tuesday Primary of 2008.
Finally Prof. Felton noted that DRE's are computers and there can be unknown bugs in the software system. Indeed in a recent county election in Florida 4,600 votes were lost due to bugs in the memory and the election had to be repeated. Even closer to home was the discovery on this year's New Jersey's Super Tuesday primaries, that the end of the day printouts of some of the Sequoia AVC Advantage DRE's had more candidate votes than primary voters. The problem was caused by the occasional inadvertent "extra button" pushed by the Poll Worker when the voter entered the booth. The problem was fixed by a Lucite cover on the extra buttons, which I observed in my vote yesterday — a non-electronic cure of a software bug!
In his conclusions, Prof. Felton argued that the solution to the problem is not a return to Paper Ballots but the development of a transparent voting system that includes: (1) paper and electronic reading at the vote with post-election audits; (2) well defined paper and electronic trails; (3) better engineering: (4) better procedures.
Prof. Felton's talk generated many questions from an enthusiastic audience which wanted to learn even more on what led to the remarkable failure of the US voting system. One question, "Why could Diebold do so well with safe and secure ATM's, and so poorly with Voting Machines?" had the surprising answer that ATM's are a large and profitable business and get the R&D they need. Electronic Voting machines are the opposite!
The meeting was adjourned at 11:30 AM.
Respectfully submitted,
George D. Cody
Marcia Bossart read the minutes of the October 15 meeting.
President Hansen introduced the following guests: R. N. Tottenham-Smith, guest of David Dodge; and Alison Lahnston, guest of Claire Jacobus.
Four announcements were made: a reminder that the Snow Day Policy is the same as the Princeton Regional Schools and can be found on the Old Guard Voice Mail Box; the location of the November 5th Old Guard meeting will be held on the third floor of the Frist Center beginning at 10:15 AM; that the November Hospitality hour will be held on November 12th, and start at 9:30 AM at the Friend Center; and that the speaker for November 12th has been changed from Arthur Levine to Prof. John Waterbury who will speak on "Higher Education in the Middle East."
George Hansen introduced the Speaker, Prof. Edward Felton who joined the faculty of Princeton in 1993 and is currently Professor of Computer Science and Public Affairs and the founding Director of Princeton's Center for Information Technology Policy. [Note: The Center hosts a web site "Freedom to Tinker" (http://www.freedom-to-tinker.com) that is widely read for its commentary on information technology law and policy]
The subject of Prof. Felton's talk was electronic voting machines and the timely subject:
"Will my vote be counted? Correctly?"
Prof. Feltman's excellent Power Point presentation started with the Florida Election of 2000, and the nation's response to the first use, and dramatic failure, of new Punch Card Voting Machines where voters record their vote on a paper punch card through a simple stylus device. Unfortunately the punch cards had a count error rate that was considerably larger than the margin by which George Bush won Florida's 25 electoral votes — and the presidency! After this so-called "Florida Debacle" there was a consensus that electronic voting machines could, and would, do better than any paper route. In 2002 the "Help America Vote Act" was passed that had resources of 3.9 billion dollars to encourage development of reliable, and paperless, Direct Recording Electronic (DRE) voting machines for the November 2006 general election. The success of the program led to the entry of many computer firms into the field, but the focus of the talk was the 33,000 Diebold AccuVote-TS voting machines that were in service nation wide, including the states of Maryland and Georgia, for the election of 2006 and 2008!
It was a challenge to computer scientists all over the world to have a fully independent security study of the proprietary Diebold DRE system to validate its broad use. Early research raised questions that could not be answered without access to the Diabold DRE. Prof. Felton answered those questions by his "lawful acquisition" of a Diebold AccuVote-TS unit in May of 2006, and the publication of "The Security Analysis of Diebold AccuVote-TS Voting Machine." by him and his grad students in September of 2006.
The Security Analysis started with the experimental identification of the Windows Software that runs the DRE and its potential disturbance by the Memory Card that stores the votes. Through their detailed experimentation on the Diebold DRE, the Princeton group discovered how to set up a "Malicious Program" on the Memory Card that would count the total number of votes but readjust them in a way to satisfy specifc "party interests," without any visible record of a change in software. An experimental example, demonstrated before a House Committee, and seen on Fox and CNN TV, was a fictitious American Presidential election where George Washington received 5 votes and Benedict Arnold received 0 votes. Through the one minute replacement of the "Diebold Memory Card" by their "Malicious Software Memory Card," George Washington received 2 votes and Benedict Arnold received 3 votes. The message was that it's easy to count the total vote on the Diebold system correctly, but equally easy to assign it incorrectly—without leaving any trace of what was done!
Equally remarkable was the discovery that the only barrier to the injection of a virus —the access door to the Memory Card on the Diebold DRE— had locks that can be opened with a standard key that is widely available on the Internet, or can be "picked in about 10 seconds."
What are the opportunities to substitute a Malicious Code Memory Card in a voting machine that sits on the floor of the Voting Centers on election day. One way is to take advantage of the early delivery of the 180 pound fold-up voting machines, and find them unguarded in vacant school corridors days before election day by simply following the early "Park Here—Go In —Through Here To Vote" signs. This is an easy route to the memory cards that was tested and photographed by Prof. Felton days before the Princeton Super Tuesday Primary of 2008.
Finally Prof. Felton noted that DRE's are computers and there can be unknown bugs in the software system. Indeed in a recent county election in Florida 4,600 votes were lost due to bugs in the memory and the election had to be repeated. Even closer to home was the discovery on this year's New Jersey's Super Tuesday primaries, that the end of the day printouts of some of the Sequoia AVC Advantage DRE's had more candidate votes than primary voters. The problem was caused by the occasional inadvertent "extra button" pushed by the Poll Worker when the voter entered the booth. The problem was fixed by a Lucite cover on the extra buttons, which I observed in my vote yesterday — a non-electronic cure of a software bug!
In his conclusions, Prof. Felton argued that the solution to the problem is not a return to Paper Ballots but the development of a transparent voting system that includes: (1) paper and electronic reading at the vote with post-election audits; (2) well defined paper and electronic trails; (3) better engineering: (4) better procedures.
Prof. Felton's talk generated many questions from an enthusiastic audience which wanted to learn even more on what led to the remarkable failure of the US voting system. One question, "Why could Diebold do so well with safe and secure ATM's, and so poorly with Voting Machines?" had the surprising answer that ATM's are a large and profitable business and get the R&D they need. Electronic Voting machines are the opposite!
The meeting was adjourned at 11:30 AM.
Respectfully submitted,
George D. Cody