Also see below:
Voting Machines Vulnerable to "Serious" Vote-Flipping Attack •
Go to Original
House to Begin Probe Into Florida Election
By Phil Davis
The Associated Press
Tuesday 16 April 2007
A House task force will take the first steps Tuesday in an investigation of
a Florida congressional election decided by 369 votes amid complaints that voting
machines failed to count thousands of electronic ballots.
Republican Vern Buchanan was declared the winner of the election, a result
Democrat Christine Jennings is challenging in Florida court.
The House, which has final authority over its membership, typically waits until
legal challenges are completed before taking action. But Florida Democrats last
month asked the House Administration Committee to begin reviewing the election
after reports of an anomaly in the touch-screen voting machines that recorded
about 18,000 skipped votes in Sarasota County.
Committee Chairwoman Juanita Millender-McDonald, D-Calif., created the three-member
task force to investigate the issue and report back to the full committee.
Jennings' spokesman David Kochman said it is time for congressional intervention
and order a revote.
"We think this is an important step," Kochman said Monday. "It's
already been more than five months since the election and we don't have any
answers. Hopefully this will bring answers."
The controversy in Florida's 13th Congressional District has become a rallying
point for advocates challenging the accuracy of electronic voting machines.
News reports last month revealed that voting machine manufacturer Elections
Systems & Software informed state and local election officials of the machine's
slow response times nearly three months before the November election.
Kochman said the company's memo is significant because it shows there were
problems with the iVotronic machines that were not disclosed to the public or
Jennings' lawyers, although they had requested all correspondence about issues
with the machines.
The company has said the slow response is not the reason no votes were recorded
in the race for some 18,000 Sarasota County voters who cast ballots in other
contests.
The rate of non-votes in the county was far beyond the norm, but a state audit
and two recounts found no evidence of a malfunction in the machines.
Jennings and several voter advocacy groups have appealed a circuit judge's
decision not to allow them access to ES&S source code, which the company
says is proprietary. A decision on those cases is still pending.
Buchanan and Jennings campaigned for the House seat Katherine Harris left to
make an unsuccessful Senate run. As Florida's secretary of state in 2000, Harris
presided over the presidential election recount that gave George W. Bush the
presidency.
Go to Original
Voting Machines Vulnerable to "Serious" Vote-Flipping Attack
By Michael Richardson and Brad Friedman
Bradblog
Monday 16 April 2007
Scientific report finds "serious security
vulnerability" similar to "Princeton Diebold virus hack" in widely
used iVotronic system, allowing a single person to change election results across
entire county without detection. Despite GAO confirmed mandate to serve as info
"clearinghouse," embattled EAC says they will take no action to alert
elections officials, public.
|
|
|
(Photo: www.bradblog.com)
|
| |
While revelations surrounding the mysterious 18,000 "undervotes"
in the November 2006 U.S. House election between Christine Jennings and Vern
Buchanan in Florida's 13th Congressional district continue to inform the nation
about the dangers of electronic voting machines, new information has recently
come to light exposing a shocking lack of responsible oversight by those entrusted
with overseeing the certification of electronic voting systems at the federal
level.
An investigation into what may have gone wrong in that election has revealed
a serious security vulnerability on some, and possibly all, versions of the
iVotronic touch-screen voting system widely used across the country. The iVotronic
is a Direct Recording Electronic (DRE) touch-screen voting machine manufactured
by Elections Systems & Software, Inc. (ES&S), the nation's largest distributor
of such systems.
The vulnerability is said to allow for a single malicious user to introduce
a virus into the system which "could potentially steal all the votes in
that county, without being detected," according to a noted computer scientist
and voting system expert who has reviewed the findings.
And yet, despite their federal mandate to serve as a "clearinghouse"
to the nation for such information, a series of email exchanges between an Election
Integrity advocate and officials at the U.S. Elections Assistance Commission
(EAC) has revealed that the federal oversight body is refusing to notify states
of the alarming security issue.
The recent email conversation shows that even in light of the EAC's review
of the warning from the computer scientist who characterized the "security
hole" as severe, needing to be "taken very seriously," and among
the most serious ever discovered in a voting system, the EAC is unwilling to
take action.
Recent reports by the Government Accountability Office (GAO) have taken the
EAC to task for a failure to meet their legislated mandate for informing the
public and elections officials about such matters. However, a review of the
email communications to and from the EAC's Jeannie Layson shows that the federal
body is steadfast in their refusal to take action to alert either elections
officials or the public about the security risk recently discovered by a team
of eight noted computer scientists.
The EAC's current Chairwoman, Executive Director, Director of Voting System
Certification, and other top officials at both the National Association of State
Election Directors (NASED), and even the GAO, were included in the series of
email communications, The BRAD BLOG has learned.
The vulnerability was initially discovered by a panel of scientists convened
by the State of Florida to study the possible causes for the FL-13 election
debacle. The team's discovery revealed that a design issue in the widely used
iVotronic system could allow for a viral attack, by a single individual, which
could then spread unnoticed throughout the electronic election infrastructure
of an entire county.
A similar vulnerability was found in DRE touch-screen system made by Diebold
last Summer by a team of computer scientists at Princeton University.
Attempts to seek information about EAC plans to notify other states and local
jurisdictions that use the same vulnerable voting systems as the ones in FL-13
have been met with an astounding refusal, troubling denial, buck-passing, and
a lack of accountability by the federal commission of Presidential-appointees.
The agency has also come under fire in recent weeks for a number of questionably
partisan decisions and other failures to perform as mandated by the Help America
Vote Act (HAVA) of 2002.
Of late, the EAC has been forced to respond to a great deal of controversy,
on a number of different operational matters and policies, as revealed by a
series of articles on this site and in mainstream outlets such as the New York
Times and USA Today. Several of those matters have drawn Congressional notice,
questioning of EAC officials, and letters of inquiry. Thus, this latest revelation
is likely to add to the rising concern of Congress members as new federal legislation
introduced by Rep. Rush Holt (D-NJ), currently facing mark-up by a Congressional
committee, would permanently fund the now-embattled EAC. Funding for the agency
was originally mandated by HAVA only through 2005.
The new ES&S iVotronic vulnerability first emerged on February 23, 2007,
when the Florida Dept. of State released a report detailing their findings from
the investigation into what happened in Sarasota's still-contested Jennings/Buchanan
race. That election was ultimately decided by just 369 votes. The state's official
findings included a report [PDF] [2] conducted by an eight-member computer science
and technology team under the auspices of Florida State University (FSU). The
report sought, unsuccessfully, to determine the cause of the unexplained "undervotes"
reported by the iVotronic touch-screen voting systems used in Sarasota's portion
of the FL-13 race on Election Day and in early voting.
Although the reason thousands of votes turned up missing from those systems
remained unknown, the study team did discover a serious security flaw in the
iVotronic system that is used in Sarasota and many other jurisdictions across
the country (and even the world, as France is set to use the same systems
in their upcoming Presidential Election.)
Election integrity watchdog John Gideon, a frequent BRAD BLOG contributer
and the Co-Director and Information Manager for VotersUnite.org, says that
the security flaw may pertain to "every ES&S iVotronic voting machine
used in the US and overseas." A total of eight separate versions of the
system - without and without so-called "voter verified paper audit trail"
(VVPAT)" printers - are currently approved as qualified at the federal
level, he explained. Three of those are definitely affected and it is likely
that the others are as well.
The details, the dangers, and the denials are all described below...
"It Needs to Be Taken Very Seriously"...
As detailed by information in the FSU report, the ES&S iVotronic is vulnerable
to a very dangerous attack by a single person which could result in an election,
across an entire county, being flipped without notice.
One computer scientist who has closely reviewed the team's findings warned
via email, "The FSU report revealed a serious security vulnerability in
the iVotronic: it is vulnerable to viruses that could be introduced by a single
outsider and that could spread throughout a county. This means that a single
outsider in a county that uses the iVotronic Firmware version 8 could potentially
steal all the votes in that county, without being detected."
"In my opinion," the scientist warned, "the severity of this
security hole is roughly comparable to that of the Hursti II / Princeton virus-which
is to say it needs to be taken very seriously." Though the scientist asked
not to be identified publicly, his warning was shared with the EAC and is now
posted online in full at VotersUnite.org.
Both the so-called "Hursti II" report and the Princeton discovery,
as first reported by The BRAD BLOG, rocked the nation's voting system manufacturers
and election officials alike when they revealed extraordinary vulnerabilities
in touch-screen electronic voting systems made by Diebold, Inc., last year during,
and just prior to, the nation's primary election cycle.
"This is further evidence that it's not just one vendor who has serious
security problems; it's a second instance [of] this sort of virus vulnerability,"
the scientist writes.
"Don't let anyone tell you that if we just 'kick Diebold off the island'
all of the security problems will go away."
The scientific warning includes detailed steps on how to mitigate the problem
for several different versions of the ES&S iVotronic, all of which are vulnerable
to the attack.
Gideon took the warning to heart and forwarded it to the EAC with a request
that the important e-voting security issue be shared with other states under
the EAC's "clearinghouse" mandate. But the EAC has refused.
The Help America Vote Act (HAVA) requires the EAC to act as a national "clearinghouse"
for election administration and voting system information. As stated on the
EAC website:
The Election Assistance Commission is designed to serve as a national clearinghouse
and resource for the compilation of information and review of procedures by.... Maintaining
a clearinghouse of information on the experiences of State and local governments
in implementing the guidelines and in operating voting systems in general.
Despite their mandate, and admission of same, EAC spokeswoman Jeannie Layson
replied to Gideon that the iVotronic was qualified by the National Association
of State Election Directors [9] (NASED) and thus was not the responsibility
of the EAC. NASED was the body which oversaw federal testing of systems until
the EAC took over the process fully earlier this year.
Not the EAC's Problem...
In the EAC's refusal to take accountability for warning states of the newly
discovered danger, along with the buck passing over to NASED, Layson failed
to recognize that current EAC Executive Director Tom Wilkey [10] was the chair
of the NASED committee at the time they federally qualified several of the virus-prone
ES&S voting machines.
Nonetheless, whoever gave federal qualification to the system in the past,
it is now clearly the responsibility of the EAC to inform states about the issue
now that it has become known, Gideon argues, echoing the sentiments of the GAO
in two different reports.
Dumbfounded at the EAC response, Gideon wrote back expressing his dismay to
Layson:
My concern is NOT whether the system was NASED qualified or EAC certified.
My concern is a problem was found with two versions of a voting system and there
are mitigating solutions to these problems. The EAC is supposed to be a "clearinghouse"
of information. Ms. Davidson [EAC Chair Donetta Davidson - also a former member
of NASED's Voting Systems Board when it was chaired by Wilkey] - pointed out
recently that the EAC's middle name is "Assistance." It seems like
the EAC is neither acting as a "clearinghouse" nor "assisting"
when it ignores reports from prominent computer scientists about a large security
issue with a voting system that is being used in many, many jurisdictions around
the country.
Layson responded that the "clearinghouse" only applied to studies
conducted by the EAC - like a recent bi-partisan "voter fraud" study
and another on "Voter ID." The commission is currently under fire
for its partisan rewrite of the former, and the "Voter ID" study
which, though commissioned by the EAC as well, was similarly dismissed by the
agency after the team of presidential appointees were unhappy with its
reported findings.
As for warning states and voters of voting machine problems, Layson refused
to take responsibility. She maintained, in defense of the EAC, that their new
program for voting system certification is just now being put into place, and
thus they won't act on problems found in systems approved previously by NASED.
"The EAC['s new] certification program will collect anomaly reports,"
Layson wrote in an email to Gideon, "which we will then investigate and
share with election officials and the public."
Gideon expressed his amazement in his next email response, and attempted again
to encourage the EAC to do their HAVA-mandated duty. Responding to the EAC's
communications director, he wrote:
I'm amazed that instead of answering the questions you conflate the certification
of voting systems with a security vulnerability that is in existence across
the country. This issue has nothing to do with the EAC certification program.
It has to do with the EAC recognizing that there may be a problem and then taking
action to ensure states and local jurisdictions are aware of that problem.
Layson held her "not-our-problem" ground, stating in reply that shortcomings
of NASED testing and qualification were, incredibly, not the business of the
EAC.
"Again, as we have discussed many times, we did not certify this voting
system," Layson responded, deflecting Gideon's written concerns once again.
"If [the ES&S iVotronic system] successfully completes EAC's certification
program in the future, then it would be subject to our rules and conditions,
and if a problem occurs we would notify the election community and the public,"
she reiterated in the follow-up reply.
The GAO Disagrees...
Layson's denial of EAC responsibility in warning the public of the serious
Florida findings is also in sharp contrast with a recent finding by the Government
Accountability Office (GAO).
In a 2005 report [PDF], requested by Congress on "Federal Efforts
to Improve Security and Reliability of Electronic Voting Systems," the
GAO was critical of the EAC's failure to inform the public of such concerns
about vulnerabilities in voting systems:
The continued absence of a national clearinghouse for voting system problems
means that segments of the election community may continue to acquire and operate
their systems without benefit of critical information learned by others regarding
the security and reliability of those systems.
The 2005 GAO report recommended the EAC, "Improve management support to
state and local election officials ... for sharing information on the problems
and vulnerabilities of voting systems."
A follow-up GAO report [PDF] submitted to Congress last month, stated
that the EAC had allocated some $3.5 million - twenty-five percent of its
total budget - to establish themselves as "a national clearinghouse of
election administration information."
However, two years and $3.5 million later the "clearinghouse" is
still not operational, as confirmed by the 2007 GAO report:
[W]e have recommended that the EAC develop a process and associated time frames
for sharing information on voting system problems and vulnerabilities across
the election community.... Not yet defined are the mechanisms to collect
and disseminate information on problems and vulnerabilities that are identified
by voting system vendors and independent groups outside of the national certification
process.
Meanwhile, the newly-identified security flaw in ES&S voting machines,
all over the country, is like a hidden time bomb about which the EAC refuses
even to post an advisory on their website. The hidden flaw awaits exploitation
in a viral strike - if such an attack has not already occurred - and yet
the EAC has expressed a complete unwillingness to even alert state and local
officials.
The future of the EAC itself is now very much in play. Federal legislation
- the "Voter Confidence and Increased Accessibility Act" (HR811),
as proposed by Rep. Rush Holt, will for the first time remove HAVA's previous
2005 funding "sunset." The act would make the EAC a permanently funded
federal body under the control of the White House.
And yet, the EAC's "clearinghouse" is beginning to smell like an
outhouse.
Gideon, who has spent years trying to effect positive change at the EAC in
attempts to hold them accountable for their mandate as the sole federal oversight
body for voting systems, told The BRAD BLOG recently in frustration, "They
just don't care."
-------
Jump to today's Truthout Features:
(In accordance with Title 17 U.S.C. Section 107, this material is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. t r u t h o u t has no affiliation whatsoever with the originator of this article nor is t r u t h o u t endorsed or sponsored by the originator.)
"Go to Original" links are provided as a convenience to our readers and allow for verification of authenticity. However, as originating pages are often updated by their originating host sites, the versions posted on TO may not match the versions our readers view when clicking the "Go to Original" links.
Print This Story
E-mail This Story