Accessible and Verifiable Voting in Connecticut
Homepage
About Us
Activities
Background
Technology
In the News
Take Action
Other Links

Connecticut Update (8/30/06)

Much has happened since the TrueVoteCT web site was last updated, both in Connecticut and nationally. Here's a brief guide to where we are now with respect to new voting equipment and to issues currently facing the state.

  • Connecticut has chosen to buy Diebold AccuVote-OS optical scanners to replace its lever machines and to buy the IVS telephone voting system to meet HAVA's accessibility requirements. (More...)
  • The Secretary of the State has entered into a Memorandum of Understanding with Dr. Alex Shvartsman, a computer scientist at the University of Connecticut, to conduct "Certification and Acceptance Testing of Electronic Voting Equipment". (More...)
  • The currently-available models of the AccuVote-OS scanner have known security vulnerabilities that led NASED to take the unprecedented step of withdrawing certification of the vulnerable models unless specific mitigations are implemented. (More...) However, the State contract requires the vendor to correct any security and/or functionality problems within a year at no additional cost to the State, so these problems should eventually get fixed.
  • Beyond the specific vulnerabilities currently identified in the AccuVote-OS, TrueVoteCT recommends that the Secretary of the State establish policies and procedures for the safe use of all electronic voting technologies. (More...)

What's Next? (8/30/06)

The first big test of the new voting systems will take place in the November elections, only a little more than two months off. Many things need to be done between now and then:

  1. Resolve State certification issues for the new equipment. (More...)
  2. Update the Election Moderators Handbook to include procedures and security mitigations specific to the new equipment.
  3. Train poll workers and voters in the proper use of the new equipment.
  4. Set up procedures to evaluate the performance of the new equipment in an actual election.

Further on down the road, it is essential that Connecticut strengthen existing mandatory audit legislation to apply to all voting systems, not just DRE systems as at present. A real strength of optical scan systems is that the official record of voter intent is the paper ballot marked by the voter. However, in order to protect against electronic tampering, it is essential that the machines be audited by actually comparing their results with independent counts of the paper ballots. TrueVoteCT intends to work with the legislature in drafting suitable legislation and helping see it through to completion. (More...)


Connecticut Chooses New Voting Equipment (8/05/2006)

Secretary of the State Susan Bysiewicz announced at a press conference on August 5, 2006 that "her office has entered into a contract with LHS Associates of Massachusetts to provide optical scan technology to replace lever voting machines across the state." She went on to say, "Additionally, Connecticut will meet the requirements of the Help America Vote Act (HAVA) for the November election by entering into a 1-year contract with IVS, LLC to provide one voting machine accessible to those with disabilities in each polling place in the state."

This is good news. By choosing optical scan equipment, the DRE train wreck predicted in March 2005 has been avoided and the recommendation made then to go with optical scan equipment has been followed. This can be seen as a victory for TrueVoteCT and for all in the state who are committed to fair and honest elections.

The equipment to be provided for replacing the lever machines is the AccuVote-OS optical scanner, made by Diebold Election Systems, Inc., as specified in the State contract. The company to which the press release referred, LHS Associates, "is the exclusive value-added reseller of the Accu-Vote product line in the New England area." The State has had a long and productive relationship with LHS Associates. Although the contract itself is not actually with LHS, the office of the SOTS assures us that the State has an understanding that Diebold will designate LHS to carry out the provisions of the contract.

State Contracts with UConn Computer Scientist (8/05/06)

Secretary of the State Bysiewicz has entered into a Memorandum of Understanding with Dr. Alex Shvartsman and the University of Connecticut's Department of Computer Science and Engineering to conduct "Certification and Acceptance Testing of Electronic Voting Equipment". Dr. Shvartsman was awarded a $258,871 grant to review, among other things, the July 4, 2005 report by Finnish computer scientist Harri Hursti which revealed serious security vulnerabilities in the Diebold Precinct-Based Optical Scan 1.94w voting system. It's good to learn that plans are in place to test voting technology before it is certified, and True Vote has confidence in Dr. Shvartsman's ability and integrity.

True Vote Recommendations for Safe Use of New Optical Scan Equipment

The currently-available Diebold AccuVote-OS optical scanner is similar to the machine that was subject to the Hursti attack and was mentioned specifically in the Cal-Berkeley report as containing serious security holes. Certain mitigations and countermeasures need to be implemented before these scanners are used in an election. Particular attention needs to be paid to the recommendations of the Cal-Berkeley report and the NASED Memory Card Report 03-22-06 which negates the [Diebold] voting system's status as a NASED-qualified voting system until four mitigations are adopted for their safe use:

  1. Throughout the life of the voting system, the election official shall maintain control of all memory cards and keep a perpetual chain of custody record for all of the memory cards used with the system. Programmed memory cards shall be stored securely at all times with logged accesses and transfers.
  2. Immediately after the memory card is installed in the voting station, the card shall be sealed against unauthorized access. The voting station shall not be set into election mode until after the memory card is sealed inside.
  3. Use controlled serialized seals that are tamper resistant and resistant to inadvertent breakage along with verifiable seal logs.
  4. In post-election mode, print the results report prior to removing the memory card from the optical scanner. If additional reports other than the results report are available, print these as well.

This advisory applies to the scanners already in use by a few towns in Connecticut as well as to the currently-available scanners (version 1.96.6) to be acquired under the new State contract. Before such machines are used in Connecticut, the Moderator's Handbook also needs to be updated to incorporate these recommendations.

Security Vulnerabilities in Electronic Voting Machines

Many security vulnerabilities have been exposed in electronic voting machines. The Brennan Center study reveals that all electronic voting systems are subject to a variety of attack scenarios, and none can be considered safe until suitable countermeasures to plausible attacks are implemented. While it is tempting to label each new vulnerability as an "oversight" or "design error" that can be corrected, the problem actually goes much deeper than that:

  1. All current computer equipment is designed to allow for firmware and software upgrades. This is necessary in order to allow design errors to be corrected and to permit servicing of the machine if the software for any reason becomes corrupted.
  2. There is currently no reliable way to determine what firmware and software is actually running on a voting machine on election day. This is because access to the computer's memory is through the firmware and software itself. If the software has been corrupted, it can also corrupt the result of any built-in self-checks.

Facts (1) and (2) above mean that the familiar paradigms of testing and certification cannot ever assure the reliability of the machines, no matter how carefully done. There is simply no way to assure that the machine running on election day, including both hardware and software, is the same as the one that was tested and certified. In light of these facts, TrueVoteCT makes two recommendations for the responsible use of any computerized voting technology:

  1. It should be made as difficult as possible to perform unauthorized updates to the hardware, firmware, and software. This includes careful chain-of-custody procedures, installation of physical locks and seals on the equipment, removal of remote-access devices such as wireless and network cards from the machines, update procedures that cryptographically verify the authenticity of the updates before proceeding, and other measures designed to ensure that updates are made only under strictly controlled conditions and only with duly approved and certified modifications.
  2. The correct operation of the equipment on election day must be verified through suitably designed random audit procedures. This step must not be skipped. (More...)
Those who are interested in the security flaws that have been discovered and that have led TrueVoteCT to make the recommendations above are urged to read the articles below:

A Certification Question (6/10/2006)

The optical scan machines that are currently used in several towns in Connecticut may not be properly certified. The models that were certified by the State were the Accu-Vote-2000 (and associated ES-2000 operating firmware Version 1.94f) of Global Election Systems, Inc. We do not know if that exact model ever received NASED certification. According to NASED, the Accu-Vote ES-2000 was certified with firmware release 1.94W on 12-28-99. (See ITA Approved Systems 1-03 to 11-03.) We do not know if it was ever certified by NASED to firmware version 1.94f. In any case, the latest firmware version in use by NASED certified machines seems be 1.96.6. (Diebold currently has NASED certification for no fewer than six different versions of their precinct optical scanner — see NASED Qualified Voting Systems 03-17-06.) Confusing? You bet! To add to the confusion, we don't know what version of the firmware is currently in the machines now being used since their firmware may well have been upgraded during maintenance, nor do we know what functional changes were made from the original versions.

True Vote Calls for Comprehensive Election Audit Legislation (6/24/2006)

Given the known vulnerabilities with both Optical Scan and Direct Recording Electronic (DRE) voting systems, it is essential that Connecticut adopt a mandatory, statistically meaningful, random audit requirement for all voting systems.

Through the efforts of True Vote and other groups, the State has adopted Public Act No. 05-188 (pdf), which requires a random audit procedure for DRE machines. However, that bill does not cover audit procedures for optical scan systems. True Vote will work towards adoption of appropriate legislation during next year's legislative session.

Audit legislation cannot be considered until January 2007 when the next legislative session begins. In order to assess the reliability of the new equipment and to gain useful experience to inform the eventual audit legislation, True Vote recommends that a manual recount be taken for every new voting machine placed in service for the November 2006 election.

A good audit procedure should involve the following elements:

  1. A significant percentage of precincts or machines should be selected for the audit.
  2. Selection of machines must be done publicly and should use an accepted random process, similar to that used in the CT lottery.
  3. Machines to be audited should not be selected until after the polls close.
  4. Hand counting of the votes on the selected machines should be done in public view, involving poll watchers and election officials from both parties, with tallies to be announced to all in the room before any results are forwarded to the SOTS. This should be done as soon as practicable following the close of the polls.
Basic audit procedures are presented in greater detail in the Brennan Center report, pages 16–18.

Security in the News

Brennan Center Finds Electronic Voting Systems Vulnerable to Attack (6/28/06)

In a report issued on June 28, 2006, the Brennan Center Task Force on Voting System Security finds security vulnerabilities in all of the three kinds of electronic voting machines being adopted for use across the country: paperless DRE, DRE with voter-verified paper trail, and precinct optical scan. The latter type of system was recently selected for use in Connecticut as a replacement for the lever machines.

Three points emerge from the threat analyses studied in the report:

  • All three voting systems have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state, and local elections.
  • The most troubling vulnerabilities of each system can be substantially remedied if proper countermeasures are implemented at the state and local level.
  • Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute successfully.

What is "the Hursti Hack" and What Does it Show? (6/24/06)

The story of the Hursti Hack shows that all types of electronic voting systems, including DRE systems and optical scan systems, can be manipulated and cannot be trusted. The only way to assure the integrity of elections is to require a voter-verified paper record---for optical scan systems the ballot itself serves as the paper record---and to require rigorous random audit procedures.

In June 2005 Harri Hursti, a Finnish computer security expert, demonstrated that the Diebold AccuVote OS system could be tampered with in such a way as to manipulate the vote totals in a completely undetectable manner. Since then several states have confirmed the existence of the vulnerability.

For example, here is a description of the Hursti Hack from page 7 of the December 22, 2005 Examination Results of the Diebold Election System's AccuVote TSX Electronic Voting System, OS Optical Scan Units, and GEMS Election Management Software published by the Pennsylvania Department of State:

“In June 2005, Finnish security expert Harri Hursti demonstrated that the memory card used in the AccuVote OS units can contain executable code, and that furthermore, the scanners will execute the code if it is present. Hursti was able to use this fact to program a memory card so that it (1) contained counters that were not zero and, in fact, had counters with negative vote totals; (2) produced a zero tape nevertheless; and (3) used the negative counter values to subtract votes from candidates and positive counter values to add votes to candidates, which resulted in a complete manipulation of the election. Note that if the sum of the negative and positive counter values are zero, the total number of votes tallied will exactly match the total number cast, and nothing will appear to be amiss. Hursti was able to disguise the behavior so it would not be detected in pre-election or post-election testing. (A manual recount would reveal this.)”

More details about the vulnerabilities identified by the Hursti Hack are available in the following reports:

Election Reform: Malfunction and Malfeasance (6/24/06)

Common Cause recently released a report titled Election Reform Malfunction and Malfeasance: A Report on the Electronic Voting Machine Debacle. The report focuses mainly on questions about the reliability and integrity of paperless DRE machines, pointing out that nearly 40% of voters are expected to vote on such machines in the 2006 elections.

The report considers four major studies that reviewed DRE security and reliability, all of which found DRE machines:

“to be vulnerable to malfunction and also to tampering in which a computer-savvy hacker with minimal access to the machine could introduce malicious code to the DRE software and change the results of an election. Such manipulation could be undetectable. In machines equipped with a modem, it could even be done from a remote location.”

The report also summarizes seven reported occasions since 2002 in which electronic machines added or removed votes in real elections [in Texas, North Carolina, Pennsylvania, Florida, Virginia, and New Mexico], calling into question the final results of a race.

The report makes many recommendations. Here are some that we think are particularly relevant for Connecticut:

  • Congress should immediately pass HR 550, “The Voter Confidence and Increased Accessibility Act of 2005.”
  • States should pass laws or adopt regulations requiring all voting systems to produce a voter verifiable paper ballot and mandate that at least a random two percent of voting jurisdictions conduct public audits of their voting systems.
  • Election officials should take necessary steps to safeguard machines prior to Election Day.

Verified Voting Study Shows Diebold Vulnerabilities (6/8/2006)

Verified Voting released a preliminary summary of states whose elections are at risk due to well documented security vulnerabilities in Diebold voting systems. The report shows that 27 states are at risk with varying degrees of vulnerability. Those considered to be at highest risk are nine states (GA, MD, IO, FL, VA, PA, IN, KS, TX) that are using paperless Diebold TSx and TS machines. States that have adopted voter-verified paper record requirements are at somewhat less risk.

The vulnerabilities reported cited in the report do not only affect Diebold equipment. According to Verified Voting founder, David L. Dill, Professor of Computer Science at Stanford University, "[t]here will be an endless series of security holes, and not just with Diebold equipment."

The report underscores the importance of two key elements needed to assure the accuracy and integrity of elections:

  • Voter-verified paper records.
  • Mandatory random audits of all voting technology.

We couldn't agree more!


Read about True Vote's activities from January 2005 through April 2006

Please explore this site and learn about the issues.

Last modified: Thu Jan 11 18:46:49 EST 2007 email to webmaster: Alice Fischer