August 20, 2007 4:00 AM PDT
E-voting predicament: Not-so-secret ballots
- Related Stories
Senators to abandon '08 e-voting paper trail mandateJuly 25, 2007
House panel approves e-voting paper trailsMay 9, 2007
A sampling of e-voting glitches on election day 2006November 7, 2006
E-voting hobbled by security concernsOctober 6, 2005
E-voting report could push audit trailsOctober 4, 2005
Poll: E-voters not so afraid of election-day hacksAugust 3, 2004
High hopes for unscrambling the voteJune 8, 2004
Fight over e-voting leaves election plans as casualtiesMay 20, 2004
Two Ohio activists have discovered that e-voting machines made by Election Systems and Software and used across the country produce time-stamped paper trails that permit the reconstruction of an election's results--including allowing voter names to be matched to their actual votes.
Making a secret ballot less secret, of course, could permit vote selling and allow interest groups or family members to exert undue pressure on Ohio residents to vote a certain way. It's an especially pointed concern in Ohio, a traditional swing state in presidential elections that awarded George Bush a narrow victory over John Kerry three years ago.
Ohio law permits anyone to walk into a county election office and obtain two crucial documents: a list of voters in the order they voted, and a time-stamped list of the actual votes. "We simply take the two pieces of paper together, merge them, and then we have which voter voted and in which way," said James Moyer, a longtime privacy activist and poll worker who lives in Columbus, Ohio.
Once the two documents are merged, it's easy enough to say that the first voter who signed in is very likely going to be responsible for the first vote cast, and so on.
"I think it's a serious compromise," said David Dill, a Stanford University computer science professor who has followed electronic voting issues closely. "We have a system that's very much based on secret ballots. If you have something where voters are involuntarily revealing their votes, it's a very bad practice."
Moyer and fellow activist Jim Cropcho tested this by dropping by the election office of Delaware County, about 20 miles north of Columbus, and reviewing the results for a May 2006 vote to extend a property tax to fund mental retardation services (PDF). Their results indicate who voted "yes" and who voted "no"--and show that local couples (the Bennets, for instance) didn't always see eye-to-eye on the tax.
Patrick Gallaway, communications director for Ohio Secretary of State Jennifer Brunner, a Democrat, said on Friday that his boss had already been planning to begin a "comprehensive" review of e-voting machines as part of a campaign pledge she made before taking office in January. He said the review now is likely to include a look at the ES&S voter privacy concern as well.
ES&S machines are used in about 38 states, according to the Election Reform Information Project, created by the Pew Center on the States. Of those states, Arkanasas, Iowa, North Carolina, Ohio, and West Virginia are among those using ES&S iVotronic machines with paper audit trails.
Other suppliers of electronic voting machines say they do not include time stamps in their products that provide voter-verified paper audit trails. Sequoia Voting Systems and Hart Intercivic both said they don't. A spokesman for Diebold Election Systems (now Premier Election Solutions), said they don't for security and privacy reasons: "We're very sensitive to the integrity of the process."
An ES&S spokeswoman at the Fleishman-Hillard public relations firm downplayed concerns about vote linking. "It's very difficult to make a direct correlation between the order of the sign-in and the timestamp in the unit," said Jill Friedman-Wilson. (ES&S iVotronic machines are used in 10 Ohio counties, mostly in the center of the state, according to a map on the BlackBoxVoting.org watchdog site.)
"That is so fatally flawed," Friedman-Wilson said about Moyer's and Cropcho's analysis. "It doesn't take into consideration any of the times that there would be interaction with a voter and a poll worker before the ballot is activated." As for the interaction of Ohio open records law with ES&S logs, she said that "it is most appropriate that the secretary of state's office and others who are responsible for carrying out elections respond to questions regarding Ohio election law and procedure."Timestamps + Ohio law = trouble
One explanation is ES&S had never expected that the paper with the time stamps, known as a voter verified paper audit trail, or VVPAT, would be made public under state open records laws.
A report evaluating ES&S security prepared by Compuware auditors two years for the Ohio secretary of state--marked "Confidential" but available on the Internet (PDF)--does warn about keeping electronic time stamps. It says that the electronic representation of votes, called the Cast Vote Records, "should not have time stamp associated with it" and must be randomized to protect privacy.
But the auditors viewed timestamps on the physical printout, called the audit log, as needed to detect "tampering" with the ES&S iVotronic hardware. "All actions to the iVotronic are recorded in the audit log with a time stamp," the report said. "This includes opening and closing the polls, voting, inserting invalid voting cards, loss of power, and supervisor access."
David Wagner, a professor of computer science at the University of California, Berkeley, said electronic storage of votes in the order that voters cast them is a recurring problem with e-voting machines.
"This summer I learned that Diebold's AV-TSX touchscreen voting machine stores a time stamp showing the time which each vote was cast--down to the millisecond--along with the electronic record of that vote," Wagner said in an e-mail message. "In particular, we discovered this as part of the California top-to-bottom review and reported it in our public report on the Diebold voting system. However, I had no idea that this kind of information was available to the public as a public record."
The July 20 report on Diebold (PDF), written by Wagner and five Princeton University researchers for the California secretary of state, cites the electronic time stamp as a voting privacy concern. "If the time when each voter checks in is recorded in the poll log book, an attacker with access to the log book could correlate this data with the timestamps to determine how voters voted," the report says. "Alternatively, observers in the polling place could note the time when target voters cast their votes and find the corresponding vote records in the ballot results file."
Ohio law allows just this. Section 3501.13 of state law says "the records of the board and papers and books filed in its office are public records and open to inspection." Anyone who interferes with the public's right to inspect the records, in fact, is guilty of a misdemeanor.
22 commentsJoin the conversation! Add your comment