Debra Bowen Says 'Sleepovers Don't Comply With Security Requirements...It's Really Simple'

Reply to BRAD BLOG Question During Conference Call Monday, Most Direct, Definitive Statement on the Controversial Practice Since She's Taken Office...

Brad Friedman Byon 9/18/2007, 4:15am PT

She's hinted as much previously, and her new security requirements issued in the wake of her landmark "Top-to-Bottom Review" of e-voting systems would seem to preclude them, but CA Secretary of State, Debra Bowen has now given her most direct comment to date on the matter of voting machine "sleepovers".

"Sleepovers don't comply with the security requirements," Bowen said in response to a question we submitted on the matter during a conference call with the Secretary sponsored by the Courage Campaign.

"It's really simple," she added, after a pause following her immediate, direct reply to the question.

She went on to explain how unauthorized access to a single machine, by a single person, could allow an entire county's election to be flipped, putting everyone's election at risk.

The complete question and Bowen's full answer is transcribed at the end of this article.

The matter of voting machine "sleepovers" --- the practice of sending pre-programmed, election-ready voting systems home with pollworkers, often days and weeks prior to elections, for deliver to polls on Election Day --- first became a controversy last year after The BRAD BLOG exposed the issue as it occurred during San Diego's special election to replace disgraced Republican U.S. House Rep. Randy "Duke" Cunningham. Our exhaustive coverage (see: Busby/Bilbray category) of the resulting scandal, continued throughout some 100 articles here.

The special election in San Diego was the first federal contest to have taken place after several analysis of Diebold's e-voting system found that the systems utilized undisclosed software code prohibited by federal standards. The particular type of code is banned at the federal level since it can be exploited to flip an election undetectably.

Subsequent studies at Princeton University and elsewhere revealed that inappropriate access by a single person, to a single machine, could virally affect every other machine used across the same county.

The revelations made the notion of voting machine "sleepovers" all the more stunning to those of us who recognized the remarkable threat the practice posed to the security of our elections...

After discovery of the Diebold security hole in late 2005 --- captured live on video and seen being exploited to flip a mock election during HBO's Emmy-nominated documentary, Hacking Democracy --- the extraordinary vulnerabilities would later be confirmed [PDF] by then-Secretary of State Bruce McPherson's own team of computer scientists at UC Berkeley. New security requirements for such systems were then mandated by federal authorities.

McPherson, however, refused to enforce them during the subsequent 2006 general election.

Several counties, including San Diego --- whose then-Registrar Mikel Haas had previously admitted the practice didn't meet the federal authority's requirement for secure chain of custody for such machines --- continued to send the vulnerable voting systems home with pollworkers nonetheless, for as many as three weeks prior to the 2006 general election.

Last Friday, the issue of "sleepovers" came up during a live radio interview with Santa Cruz County Clerk Gail Pellerin. She told us she planned to send her touch-screen machines, made by Sequoia Voting Systems, home on "sleepovers" again next year with pollworkers despite Bowen having found that Sequoia's machines contained the same vulnerabilities as the systems made by Diebold.

As part of the strict new security requirements issued for the use of such machines (Diebold's here, Sequoia's here, both PDFs) Bowen has now explicitly required that secure chain of custody procedures be overseen by two election officials at all times ("the two-person rule").

According to those requirements, "any piece of voting equipment for which the chain of custody has been compromised" must be "removed from service immediately." Memory cards used in the device are to be removed, and "all device software and firmware must be reinstalled from a read-only version of the approved firmware and software supplied directly by the federal testing laboratory or the Secretary of State before the equipment is placed back into service."

After informing Pellerin of Bowen's comments last night, Pellerin has indicated to The BRAD BLOG that she'll be rethinking the practice and exploring other options for deploying voting systems in Santa Cruz.

Just prior to her inauguration as Secretary of State earlier this year, Bowen had stated that she believed "sleepovers are illegal." Her answer to the question on the controversial issue during Monday night's conference call, however, was her first such direct, detailed response on the matter since taking office last January and since the release of the results of her "Top-to-Bottom Review" last month.

The practice of voting equipment "sleepovers" is not a new one in California, or in other states around the country. Unlike the old paper ballot systems, however --- where a single person could not affect an entire election --- new, more vulnerable e-voting equipment has made the issue a major national concern.

Our reporting on the matter at The BRAD BLOG in the Summer of 2006 led to coverage by Lou Dobbs Tonight on CNN. Their story featured a pollworker from San Diego who we first reported on after she had stored voting machines in her garage prior to the special election. Dobbs's report characterized the practice as "mind-boggling." (Video, text-transcript here.)

DNC Chairman Howard Dean then decried the practice during an appearance in San Diego and Bowen herself illustrated the dangers presented by "sleepovers" in a campaign video depicting hackers breaking into a poll worker's garage in order to violate one of the machines.

Freddie Oakley, Clerk-Recorder of Yolo County, was one of California's only county election officials to publicly recognize the dangers of "sleepovers." Just after our initial reports, in June of 2006, she posted an email comment in reply to discussion of the matter and on the question of how delivery of such systems to polling places could be handled securely without the use of "sleepovers."

"As an election official, I understand the practical issues involved here perfectly," she wrote. "I am strongly of the opinion that it is exactly this kind of practical issue that should give election officials serious reservations about deploying electronic voting machines."

"If, as a practical matter," Oakley continued, "[e-voting machines deployed prior to an election] can't be secured, then perhaps they ought not be used at all. Period."

Whether such machines can be used safely, with or without "sleepovers," is of growing concern across the nation. Now that the California Secretary of State has spoken directly to the practice, only time will tell how state election officials will change their procedures in order to meet the state's new requirements for the use of such systems.

Pellerin has promised to return for another radio appearance this Friday at 5pm PT, during our weekly guest slot on The Peter B. Collins Show. No doubt, the issue of "sleepovers" will be one of several interesting follow-up discussions with the Santa Cruz County Clerk.

Either way, it's good to see that such issues are finally being the given the attention they deserve by the state's chief election official. It's good to have a new sheriff in town.

The complete question on "sleepovers" and the answer given by CA Sec. of State Debra Bowen, as heard on the Courage Campaign conference call on 9/17/07, follows below...

QUESTION: [You] actually mentioned "sleepovers" a minute ago, and as people read your security mitigation requirements in the voting system recertification document, it seems clear that the so-called voting machine "sleepovers" would now be outlawed by those restrictions, which seem to require that systems remain in the possession of two elections officials at all times. However, some CA registrars, including Gail Pellerin from Santa Cruz as recently has Friday, have stated that she plans on sending machines home on sleepovers again in 2008. Can you give us a definitive word on whether such sleepovers will be allowed in 2008? Particularly given your findings that machines such as her Sequoia DREs can have their security seals violated without notice? [You] actually mentioned "sleepovers" a minute ago, and as people read your security mitigation requirements in the voting system recertification document, it seems clear that the so-called voting machine "sleepovers" would now be outlawed by those restrictions, which seem to require that systems remain in the possession of two elections officials at all times. However, some CA registrars, including Gail Pellerin from Santa Cruz as recently has Friday, have stated that she plans on sending machines home on sleepovers again in 2008. Can you give us a definitive word on whether such sleepovers will be allowed in 2008? Particularly given your findings that machines such as her Sequoia DREs can have their security seals violated without notice? SEC. OF STATE DEBRA BOWEN: Sleepovers don't comply with the security requirements. (pause) It's really simple. You know, I mean for everyone who's argued that 'security by obscurity' is what keeps our votes safe, in other words, that nobody has access to the equipment, having anything out there for days or weeks before just goes in exactly the wrong direction. And I don't want this to be seen as a slam at pollworkers. Because if 99.999% of pollworkers are honest --- and probably more than that are --- that's terrific. But all it takes is one person somewhere who uses a particular kind of equipment. And because these, the machines, are exactly the same wherever they're used throughout the world, if there is access, unauthorized access to one piece of polling place equipment that allows somebody to figure out a hack or to change something then everybody else anywhere in the world who uses that equipment is potentially at risk. So security needs to be layered. I believe it should be built into the equipment. It also ought to be enhanced by physical security measures including delivery of equipment on the morning of an election or secure custody using the two-person rule.

UPDATE: The complete audio of the conference call is now available below. Courage Campaign has posted the complete transcript here...





