Orange County, CA, Hart Intercivic E-Vote System Fails
Orange County, CA, Hart Intercivic E-Vote System Fails During My Demo at Orange County Fair
<>By Brad Friedman
August 15, 2011>
Write-in 'disappears,' county workers unaware of vulnerabilities...
So I forced myself to take a few hours off yesterday. As too often happens, it turned into a busman's holiday.
We took a trip out to closing day at the Orange County Fair in Costa Mesa, CA, had a great time in the bargain, and even shared a bunch of fun/snarky photo tweets throughout the day (see here, here, here, here, here, here, here, here, here, here, here, here, here, and here if you're interested, or are not otherwise already a Twitter follower of @TheBradBlog.)
It was all fun and games and sassy social observation until we had the good fortune to chance upon a booth being run by the Orange County Registrar of Voters Neal Kelley, where two delightful representatives of the office where on hand to help folks register to vote and to offer a demonstration of the country's 100% unverifiable Direct Recording Electronic (DRE) voting system.
As I would come to learn, the two delightful representatives of the office had no idea that their own e-voting system was actually 100% unverifiable until I explained to them how that was the case. Equally as troubling, as I was testing out one of the Hart Intercivic eSlate demo systems set up for voters to try and learn how to use them, it failed on me while I was running through the demo ballot created for fair goers...one of my selections disappeared entirely...or at least appeared to...
Orange and San Mateo Counties are the only two among CA's 53 counties to still use, for the standard voting system for all users, 100% unverifiable DREs (usually touch-screen, but in the case of the Hart Intercivic eSlate, it employs a little cursor wheel at the bottom of the screen to scroll through selections, rather than a touch-screen). The DREs made by other manufacturers, such as Diebold and Sequoia, were largely decertified entirely for use as standard (non-accessibility) voting systems by CA Sec. of State Debra Bowen following her landmark 2007 "Top to Bottom Review" of all e-voting systems in the state.
Only the Hart eSlate (albeit with certain security mitigation requirements) was allowed for full continued use, for reasons that still remain largely a mystery to me given that computer scientists who worked on the study, as well as others, have suggested to me that Hart's architecture is as bad, and arguably worse, than that found on DRE systems made by Diebold, Sequoia, and ES&S.
(In the CA review, as one of the experts, Dan Wallach of Rice University, recently described the findings by him and his colleagues, the Hart systems were found to be "unacceptably insecure." You can review the team's security-redacted source code analysis of the Hart system --- just one part of the independent review of the system by world-class scientists in that study --- right here [PDF].)
Nonetheless, voters in the very-Republican Orange County are, shamefully, still presented with these 100% unverifiable voting systems at the polling place each Election Day, years after we've learned about the problems and vulnerabilities in the systems.
I had not personally had the opportunity, prior to yesterday, to actually try casting a vote on a Hart Intercivic eSlate, so I was delighted to get the chance to take it out for a test drive at the OC Registrar's booth at the fair.
It didn't go well.
Or maybe it did. Neither I nor the Registrar's two reps could tell for sure. And that, of course, is precisely the problem with these types of systems.
My Write-In Vote Disappeared
Sadly, the battery on the cell phone we were using to try and video tape my attempt to use the system to cast a demo ballot ran out during the process. So my written explanation of what happened here will have to suffice for the moment.
The test "ballot" they had set up on the eSlates at the fair was to allow voters to vote for a number of fictional federal, state, and non-partisan races, and even two fictional ballot initiatives. (One of those initiatives asked if Orange County should use the Internet for elections!!! If you're unaware of what my response might have been to that insane question, see this and this.)
While the process of spinning the cursor wheel took much longer than simply inking in an oval on a paper ballot might have, while a bit clunky, it all seemed to go smoothly enough in general once I got used to it, until I got to the summary screen where I was to review my selections to make sure they appeared to be correct.
One item, however, had "No Selection" next to it, in a red font, instead of the name of a candidate in black.
Having not recalled missing any items on the ballot, I was surprised to see that. The Registrar's representative who was working with me said that perhaps it was a race where I could have selected more than one candidate. So I clicked on "No Selection" and was taken back to the race for "City Council" which, indeed, had offered the instruction (which I didn't notice the first time) to "Select no more than two candidates." I had only selected one. So the system, for whatever reason, described that back to me as "No Selection" on the summary screen for that race.
Upon discovering that I could vote for another candidate in that race as well, I decided to select a box that was blank. That brought up the "Write-In Candidate" screen, allowing me to spell out the name of a write-in selection for the office. I determined I would vote for myself here, "BRAD FRIEDMAN."
It took a while spinning the wheel through the all of the letters of the alphabet in order to spell that out, and at some point I mis-clicked a letter and needed to go back one space to correct it. Rather than select the "Clear Last" option, which I hadn't noticed, I selected the "Cancel" option instead. That took me back to the summary screen with the red "No Selection" item still there.
So I had to start the process all over again.
This time I managed to go through the write-in process to correctly spell out "BRAD FRIEDMAN" as my write-in choice, spun the dial down to the "Accept" button, hit the physical "ENTER" button below the screen and thought I'd be just about finished.
Instead, I was brought back to the summary screen where the same red "No Selection" notice still appeared next to the "City Council" race.
Huh? What happened there? Was it my fault somehow? Did I manage to incorrectly hit "Cancel" again instead of "Accept"? I don't believe so, since I was trying to be particularly careful on that second attempt to hit everything absolutely correctly after having screwed it up during my first attempt to write myself in. I'm also pretty good with computers, given what I do for a "living" these days, in addition to the ten years or so prior that I spent as a computer programmer.
So with no clue what might have happened, I clicked "No Selection" again, went back to the "City Council" race and, for a third time, spelled out "BRAD FRIEDMAN" with the cursor wheel, carefully selected "Accept" again and, this time, it "took." At least according to what was shown to me on the summary screen (my name, instead of "No Selection" on the "City Council" line item.)
While I was chatting with the two ladies throughout the process, asking them questions and for guidance, etc., it's possible that I got distracted somehow and the "disappearing" write-in vote could somehow have been my fault. Though I don't believe so. Either way, neither they nor I noticed my having hit an incorrect selection that would have caused the problem described above where my write-in vote seems to have disappeared.
They Didn't Know the System Was Unverifiable or Vulnerable
My demo vote had finally been accepted by the system. We tried another demo "ballot" to see if we could repeat the same problem with my write-in vote disappearing as it seemed to do previously. We could not repeat the disappearing write-in choice on that second try. However, undoubtedly, we hadn't carried out the exact same sequence of selections the second time around, even as we attempted in general to do so.
But before that, I had to complete the voting process on my initial electronic "ballot." To do so, I was required to hit the "Cast Ballot" button about three different times throughout the final confirmation sequence....
That process, however, while it went well enough (although a bit confusing because every time I had hit "Cast Ballot," I thought surely I'd be finished) seems to present a great opportunity for gaming the system in a similar way to that of the top election officials in Clay County, KY, who were found guilty of having done exactly that on similar ES&S iVotronic touch-screen voting systems used in their county in 2006. That scheme was part of a years-long conspiracy to steal elections in the very rural, very Republican county.
The nine officials convicted in the Clay County election fraud conspiracy last year --- among them, the County Clerk, a Circuit Court Judge, and the county's School Superintendent, all members of the county's Elections Commission --- were sentenced to some 156 years in federal prison earlier this year, after their trial proved that they had been manipulating elections for years in the county. Most recently, in 2006, the election fraud carried out by the conspirators included poll workers changing the votes of actual voters on the touch-screens after they'd left the "booth".
Their rather low-rent, social-engineering hack was accomplished because poll workers who were in on the scheme had instructed voters that the voting process was complete after they hit the big red "VOTE" button on the ES&S iVotronic computer. A sensible enough thought. But, in fact, voters need to continue after that, through the use of the "Cast Ballot" button on those machines before their ballots are actually recorded (either accurately or not) by the system. Exploiting that design flaw (or feature, depending on how you might look at it) in the system, the crooked poll workers were then able to go to the machines after the voter had left, change the voter's ballot to their own selections, and then correctly complete the full process, stealing the legitimate votes from unknowing voters in the process.
There is no evidence that such a scam was ever pulled off on Orange County, CA's Hart Intercivic machines. On the other hand, there is no evidence that it wasn't either. It certainly could have been.
Similarly absent from Orange County's e-voting system --- as with any DRE voting system --- is any evidence that any vote, ever cast by any voter during any election for any candidate or initiative on the ballot has ever been recorded by the DRE system accurately, as per any voter's intent.
Therefore, the Hart Intercivic eSlate systems shamefully still used in Orange County --- and in many other places, such as Texas, where the Austin-based company's e-voting systems are rather ubiquitous --- amount to 100% faith-based voting systems. There is no evidence to prove that votes are recorded accurately by them during elections. Voters are forced to accept the results completely on faith that they have been reported accurately.
The two very nice workers at the OC Fair --- one says she has worked at the Orange County Registrar's office for three years, the other more than a dozen years, if I recall correctly --- had never realized any of this until I explained it to them. Prior to my visit it seems they had felt quite good about their unverifiable electronic systems (though they admitted they always vote by absentee ballot on paper themselves), explaining to me that the county has never discovered an inaccuracy with them.
Of course not. That's the problem with these systems. It's unlikely that any such error will ever be "discovered" on them, because there is simply no way to prove whether they record votes accurately or not. The election fraud in Clay County, KY, was only discovered after someone else had informed federal officials about the scheme. Once I explained the concerns, the two ladies certainly understood the problem, and said they looked forward to reading up on it.
When we discussed how someone could defraud such a non-verifiable system, internally, I explained how misprogrammed memory cards --- or even the physical swap of memory cards which store voting results --- as well as general ballot mis-programming of the systems, could be accomplished to flip election results inside the machine, with no notice given to the voter on either the computer screen or the so-called "paper trail" that prints out next to it (the one which rolls back into the machine after it is supposedly approved by the voter as accurate.)
When they asked how voters could game the system in the way I described, I explained that, as computer scientists and security experts have long warned, the greatest threat to these systems comes not from outsiders, such as voters, but from insider election officials --- like them. One of the two ladies says she was even the one responsible for the programming of the Spanish language ballots used in the county. I instructed her she might have a swell opportunity to make a a lot of money if a bad guy wanted to interest her in helping to game an election in Orange County.
I further had to explain that it doesn't really matter what is on the "paper trail" or on the screen as seen by the voters. It's how the machine actually records the vote internally that matters.
They responded by pointing out that two weeks following elections the office manually reviews a random 1% of paper trails, as per state law, to help assure they match with the results reported by the machines' electronic memory cards. In turn, I explained that a) that leaves some 99% percent of votes that could have been misrecorded by the machine, b) we have no way of even knowing if the 1% of paper trails checked by officials were actually reviewed by the voters at all, much less accurately, and c) following the 2004 Presidential election in Ohio, two top election officials in Cuyahoga County (Cleveland), the state's largest county, were convicted and sentenced to the maximum time in jail for having pre-counted and pre-selected the so-called "random" selection of 3% of ballots to be hand-counted during the recount request filed in the Presidential election by the Green and Libertarian Parties.
The workers from the OC Registrar's office at the County Fair had no idea about any of this. Apparently Registrar Neal Kelley does not go out of his way to inform his own long-time employees about the dangers, vulnerabilities, and complete failings of the voting systems used in his county.
At least two of the employees there have now been informed of some of those dangers, failings, and concerns, and told me they'll be interested in reading up on it all and discussing it with their superiors at the office.
I hope they do. And, while they're at it, if the office is able to take a look at the audit logs from that demo machine I used to try to figure out why my write-in selection seems to have disappeared entirely the first time through, I'd certainly be interested in an explanation.
While problems such as those described above are hardly unusual --- for years voters have been complaining about votes flipping and/or disappearing on DRE voting systems --- I should note this isn't the first time I've personally had similar problems with electronic voting systems.
In two different actual elections here in Los Angeles County --- where the electronic ballot system made by ES&S is generally only there for optional use by disabled voters (all others cast their vote on paper ballots which are either counted accurately or not by the county's op-scan computers) --- the system completely failed.
During the 2008 state primary elections, the first time I tried using the county's ES&S audio ballot system, ostensibly for use by blind voters, I was able to discover (because I'm not blind) that the computer system had mis-printed 4 out of 12 of my votes on the paper print out. The L.A. County Registrar/Clerk, Dean Logan, carried out an investigation afterward and was able to repeat the problem as based on evidence offered by photos and other material I had submitted to them. They were able to determine that the failure occurred that time because a poll worker was allowed to enter some incorrect information about my polling location into the system while setting up my ballot for me to vote.
The second time I tried to use the same system, two years later during the 2010 state primaries, a similar problem occurred and I was ultimately unable to use the system at all to cast my vote, even after trying to do so on two different machines at the same polling place.
So I'm 3 for 3 in failures while voting on electronic systems. I wonder how many other folks who don't do this for a "living" have similar problems, but never even notice at all...