Recent U.S. Government Accountability Office reports found no smoking gun during Florida’s continuing investigation of Congressional District 13’s 18,000 undervotes. Not surprising since the GAO observations could not assure that all 1,499 of Sarasota’s iVotronic machines contained only Florida certified hardware and software. Moreover, the Florida Division of Elections’ audit verified only 6 machines for certified software, and parallel tested only 10 machines. (For you programmer types, there was no mention of resetting the machines’ internal systems date to November 6, 2006 prior to testing.)
Still, contained within the finding of the GAO report is a series of circumstances that individually reveal an apparent lapse in sound business checks and balances, and computer security basics with regards to Elections Systems & Software (ES&S). Together they are troubling.ES&S effectively holds the power. ES&S manufactures the machines, dictates the testing process, produces test data, system manages the voting process, tallies the votes, pronounces the winner, then produces the reports to declare a valid election.
The following concerns are based on the GAO’s study of Florida’s District 13. However, they are not specific to Florida. All states should review their voting processes to tighten up security and close loop holes such as these:1. When Florida load tested the iVotronic touch screens, they used the ES&S manufacturer’s own test data.
Load testing helps to ensure the voting machines can process the expected volume of vote data. However, the reliability of this particular testing method is diminished by the State of Florida Division of Elections relying on the manufacturer’s own data to perform the tests. Creating test data can be technically challenging and time consuming. But to rely solely on the manufacturer is the equivalent of sending your car salesman out alone in the dark to test drive your new car.
How do you test a touch screen without touching it? The iVotronic touch screens require calibration to in effect align the ballot. The calibration process consists of touching the screen at 20 location points with a stylus. That in itself could lead to problems. Isn’t it important to ensure these touch screens hold up to the entry of 100 plus ballots on Election Day?3. Sarasota County did NOT perform load testing according to the GAO report.
It would be disconcerting if Sarasota or any county anywhere designs the ballot, installs it on 1,499 voting machines, but does not perform load testing on the ballot design. Otherwise, how can you know your ballot design doesn’t lose votes or count them for the wrong candidate or produce erroneous results? This concern applies to optical ballot scanners as well.4. Sarasota County performed logic and accuracy tests on 32 of 1,499 iVotronic DREs prior to the 2006 primary.
That leaves 98% of the machines untested.
That means 97% percent of the possible Election Day data combinations were not tested. Tests verified only 3 of the 112 ways voters could select their District 13 candidate and cast their ballot. Note the total of 112 is in itself misleading since the 112 number isolates District 13 from the other contests on the ballot. Factoring in the other races and issues would result in over 100 trillion combinations. Testing trillions of combinations would be impossible. Testing the more likely combinations of a contentious race is reasonable and responsible.6. iVotronics voting machines independently count every vote before uploading machine totals to the ES&S central computer, the Unity election management system. (As do optical ballot scanners.)
Since each machine records the votes and tabulates the votes independently, they hold the power to potentially flip votes. While one touch screen machine would not alter the outcome of an election in most cases, several renegade touch screens or one optical ballot scanner might.7. The ES&S central computer tallies the votes and declares the winner.
IF election laws are changed to recognize improbable results and call for a re-vote, IF scrupulous controls are in place to ensure the integrity of both the touch screen and optical ballot scanner independent vote counting machines as well as the central computer, this is less disconcerting. However, since the same vendor manufactures all machines, collusion as a first step in defense would not necessarily be required for a company insider to achieve intrusion from the top or the bottom.8. Election Day, poll workers use a PEB storage device to load the appropriate ballot into the iVotronic for each and every voter. The PEB is a storage device containing the personalized electronic ballot definition.
Each open portal creates a risk point vulnerable to intrusion by an outside hacker. The potential exists for an infected voting machine to transfer infected data or programs up to the central computer which in turn transfers the infected programs to the other voting machines.
9. The iVotronics interacts with compact flash cards to update the iVotronic computer programs.
Same concerns as Item 6.
10. At the end of Election Day, precinct counts are uploaded to the central computer via modem. Poll workers move or copy data from the iVotronic to the PEB. PEB precinct level votes are copied to the Election Reporting Manager.
Same concerns as Item 6.