As we move toward the November mid-terms, we're beginning to a more detailed and depressing picture of exactly what we're up against as a nation in less than a week: two major new reports from independent research groups detail the myriad security breaches, and procedural and technical problems in the 2006 Ohio primaries; stories from early voting in Texas indicate that the paperless DREs in at least two counties may have a partisan bias; another major new report from the University of Connecticut details a whole raft of security vulnerabilities in Diebold's optical scan voting machines; finally, BlackBoxVoting.org has released "push this, pull here" instructions for multiple voting on a Sequoia DRE, no hacking skills necessary.

None of this news bodes well for the November mid-terms, which are less than a week away. In fact, what the reports described below indicate is that voters will flock to the polls to vote on fragile, untested alpha systems that, when they break, cannot be fixed by the on-site poll workers; the votes that are recorded cannot be adequately verified by a post-election audit, even if a voter-verified paper "receipt" is printed by each machine and saved by the county; and individual counties may or may not have the technical capacity to actually carry out the task of tabulating all of the electronic results (forget about the paper receipts!) from all of the machines in a coherent and reliable manner.

In sum, people will show up on November 7th at many precincts across America, they will select items on a touch-screen, a lucky few of them will see a paper record of their choices (correctly marked or not) scroll by under a glass, and they will return home having participated in a bit of high-tech political theater that may or may not amount to a bona fide election.

If you think that I overstate things just a bit here, then by all means, read on.

Table of Contents

Way to go, Ohio

With over one million voters on its rolls, Cuyahoga is one of Ohio's biggest and most important counties. On May 2, 2006, Cuyahoga residents used the Diebold AccuVote TSx, the same DRE model on which my most recent election article focused, to cast votes in a federal primary that was publicly marred by major problems with machine failure, long voter lines, and a host of other issues. Shortly after it became apparent that the May 2nd federal primary had encountered serious problems, the county Board of Elections commissioned two different investigations into what went wrong. The results of both of these investigations have just become public this week, and they paint a picture that's about as grim as one could possibly imagine.

Both reports found so many serious problems with procedures and technology that it's hard to know where to begin. So let's start with the short and no-so-sweet summary of the Election Science Institute (ESI) report's key finding:

Key Finding: After three months of exhaustive research, empirical evidence supports the key definitive finding: The machines' four sources of vote totals — VVPAT [voter-verified paper audit trail] individual ballots, VVPAT summary, election archive, and memory cards — did not agree with one another. The current election system appears to provide some of its promised benefits at potentially great cost; namely, that the election system, in its entirety, exhibits shortcomings with extremely serious consequences, especially in the event of a close election.

Much of the press coverage that will come out about this report will probably spend most of the time rehearsing some of the more dramatic of the 234-page report's findings. This being the case, I want to encourage you to read other coverage of this report, like the latest Wired News article by Kim Zetter, because I intend to focus here on some of the big-picture take-aways from the report.

Lack of training and vendor blackmail

One third of poll workers reported problems setting up the machines, and 45% reported problems closing them out after the election. 74% of poll workers said that their preparatory training was either "a lot different" or "somewhat different" than the procedures and situations that they actually encountered on election day. Majorities also said that their technical training was inadequate, they did not have enough hands-on practice with the machines, and their training in election law and administrative procedures was inadequate.

Aside from general problems at the polls, what does this lack of training ultimately portend for the Nov. 7 mid-term elections? Essentially, non-technically-savvy election officials were coaxed into making a very large information technology purchase based on a few demos and some vendor-sponsored "testing," and now they're unable to admit their mistake publicly for fear of making it exponentially worse.

According to my sources, many election officials in Cuyahoga and elsewhere have now come to a private understanding that they blew it, big-time, by buying these systems and rushing them out in what amounts to an untested alpha (not even beta!) state. But if they publicly admit that they were wrong, then the voting machine vendors will withdraw their support and the counties will be left to fly solo on election day. Because of the kind of inadequate training outlined in the ESI report, this would basically shut down the mid-term elections, because county election workers at all levels—from poll workers to sysadmins to Board of Elections officials—would be unable to run an election without massive vendor support.

In short, don't expect to hear any mea culpas or backpedalling from county or state election officials at any point before Nov. 7th. These folks are now on the hook for tens of millions of dollars worth of equipment that simply does not, and cannot, work as advertised, and if they own up to this publicly then what little hope they still have of holding real elections on the 7th will go right out the window along with the withdrawn vendor support.

Lack of training and precinct meltdowns

The median age of volunteer poll workers is 69. Now, try to imagine what an inadequately trained, non-technical senior citizen is going to do when a voting machine starts acting up in a crowded precinct during a high-turnout election. If poll workers respond anything like they did on May 2, then the ESI report indicates that they're going to just start randomly rebooting and swapping memory cards and pressing buttons, and just generally making a bad situation much, much worse.

The poll workers have neither the tools nor the training to fix these systems when they go down, and when even minor glitches start to occur on election day, when the pressure is on, tensions are high, and qualified support personnel are hard to get hold of either on the phone or in person, you can expect that a precinct will deteriorate very quickly.

Machine malfunction and possible fraud

Of the widespread problems encountered on primary day, the most common type involved voter registration (30.1%), with election administration problems (mistakes in procedures, inadequate training, supply shortages, etc.) coming in second (20.6%), and problems with the actual voting equipment coming in third at 16.2%. In the latter category were machine failures, problems with the printers for the VVPAT, encoder and access card problems, problems with the seals and labels on the various components, etc.

The lack of machine IDs and proper labeling on the canisters containing the paper rolls may not sound like a big deal, but it's huge. According to one common reading of an Ohio statute that is almost certain to be litigated in the aftermath of the coming electoral disaster, these paper print-outs are the official legal record of the vote in the state; they're the ultimate and final authority on voter intent.

So why is it that many of the canisters didn't have proper labels on them that enabled them to be paired with a voting machine? I certainly hope it's not because someone with access to a common roll printer of the type used in the AccuVote went and printed out a bunch of counterfeit votes, stuffed them into canisters, and passed them to the BOE. The fact that the votes recorded on these rolls didn't match any of the other vote tallies doesn't give one much confidence, though (more on this below).

It's also discouraging that 87 of these rolls of votes have gone missing, and no one has yet recovered them. Another 40 rolls were damaged, either by crumpling or because the printing wasn't legible. Yes, folks, we're talking about the official, legal record of the vote in Cuyahoga County.

Nothing adds up

The other major cluster of problems that this report highlights concerns the actual vote counting and audit procedures. Specifically, the four different kinds of vote totals available from the machines—individual voter receipts, machine summary receipts, the in-memory election archive, and the contents of the machines' memory cards—did not add up. Due to a variety of problems known and unknown, each of these four sources of information gave different vote totals.

I've been further informed by the founder of ESI that there were around 60 different copies of the final vote database (an unencrypted Access database, if you recall from my election article), and that there was no naming convention in place to enable officials to tell one from the other. When ESI asked for a copy of the vote tally database for auditing purposes, the response was (and I'm paraphrasing here), "Which one?"

The upshot of all of this is that, in spite of the presence of a legally mandated VVPAT, technical and procedural problems (not to mention still-missing paper rolls, memory cards, and voting machines) make it fundamentally impossible to carry out a meaningful audit of the results of the May 2nd primary in Cuyahoga County. So whatever happened on May 2nd in Cuyahoga County, it only superficially resembled an "election."

More missing stuff, and more eyebrow-raisers from the second report

The ESI report says that 29 AccuVote machines went missing after the election. They just disappeared, and I've verified in a phone interview with the founder of ESI that none of these machines have turned up yet.

At this point, I'll go ahead and remind you that the Princeton team that wrote the vote-stealing virus mentioned in my article did so by reverse-engineering an AccuVote. They had no access to any source code or documentation; all they had was one AccuVote and a little time.

A second report that was released this week, this time by a specially appointed Cuyahoga County commission, contained yet another bonanza of depressing details that cast serious doubt on the integrity of the primary, and on the possibility of having a real election on November 7th. I've already spent a lot of space here on the ESI report, so I'm going give you Kim Zetter's bullet-point summary of bad news, from her Wired article:

Due to poor chain of custody for supplies and equipment, 812 voter-access cards (which voters place in touch-screen machines to cast their ballot) were lost, along with 215 card encoders, which program the voter-access cards. Three hundred thirteen keys to the voting machines' memory-card compartments, where votes are stored, also went missing.

Officials set up two user accounts on the computer running vote-tabulation software, then assigned one password to both accounts and allowed multiple people to use them, thwarting any effort to identify individuals who might access and alter the system.

Sixty Board of Election employees took touch-screen machines home a weekend before the election to test a procedure for transmitting data on election night.

The election board hired 69 taxis to transport observers to precincts to collect memory cards and paper rolls on election night. But many cab drivers ended up gathering the materials themselves, and about half the cabs returned to the warehouse with election data, but no observer.

In at least 79 precincts the number of voters who signed the poll books didn't match the number of ballots cast. At least eight precincts had more ballots cast than registered voters. Because some polling places served several precincts, some of the discrepancies are explained by voters being directed to the wrong machines, an error that did not result in uncounted votes. But even when investigators tallied ballots and signatures for all precincts in a polling place, 15 locations still had mismatches. In one case investigators found 342 more voters than ballots.

So enough hardware went missing in the May 2nd primary to allow a group to host an entire election. All the Princeton team needed to write a vote-stealing virus was one DRE.

To sum up, if we randomly assume that deliberate vote manipulation was not a factor in any of the problems surrounding the May 2nd primary in Cuyahoga County, then here's what's scary: all of the technical and procedural breakdowns outlined in these two reports happened on their own, over the course of a relatively low turn-out election, without any help from bad actors. Can you imagine if deliberate wholesale fraud were thrown into this mix, especially in the context of a high-turnout, hotly contested election?

What about the VVPAT?

Before leaving the topic of Ohio, I want to make a few quick points about the failure of the voter verified paper audit trail (VVPAT). Opponents of the VVPAT will be quick to hold these reports up as evidence that VVPAT is not a magical cure-all. These people are right: it's not a magical cure-all, and it isn't supposed to be.

All that proponents of a VVPAT are insisting on is that it's infinitely better to have one than to not have one. No, the real take-home from the May 2 primary in Cuyahoga County is that a VVPAT is worthless if it's not implemented properly. Here are the problems with AccuVote TSx implementation.

The printer on the AccuVote is one of those cheap roll printers of the type that commonly jams in the supermarket checkout line. The failure rates of such printers are extremely high, and they're simply not adequate for use in voting machines. Also, the cheap roll paper is thin, fragile, prone to jamming, and not suitable archival material. A real VVPAT would be printed by more high quality printer on heavy card stock that's meant to last.

The damaged paper rolls, and many of the instances where the receipts were illegible due to printer malfunction (e.g. a jammed printer prints multiple times over the same stretch of paper without advancing to a clean sheet) can be directly attributed to the shoddy printer and paper used to print these receipts.

No matter how great the printer is and how sturdy the printer paper, a VVPAT is worthless if it goes missing, or is destroyed, or if it can't be tied to a particular machine because there's no canister label.

A VVPAT is worthless if an random audit of the votes is not carried out after each election.

A VVPAT doesn't make a whole lot of sense if there's no procedure in place for the voter to dispute an incorrectly recorded vote. In other words, what happens if you vote, and the printed receipt indicates that your vote was miscast by the machine? Can the poll worker delete that vote, remove the receipt, and let you go again? Or do you just have to suck it up and know that your vote was miscast?

Problems in Texas and Florida

Shortly after my recent election fraud article went live, I got email from a Texas woman whose daughter reads Ars. This woman claims that during early voting she voted a straight Democratic ticket at a precinct in Collin County (in Dallas), but the touch-screen that she used kept flipping all of the votes to a straight Republican ticket at the confirmation screen. She and a poll worker were unable to resolve the issue, so she wound up voting for Republicans across the board.

A local TV station in Jefferson County, Texas is running a report that indicates that others have had this exact same problem. In some cases, a straight Democratic ticket has Republican candidates mysteriously mixed in with it.

The Miami Herald reports that this exact same phenomenon is occurring right now in early voting in Florida, complete with the same Democrat-to-Republican vote flipping.

There's no way to tell whether the reported vote-flipping is the result of malfunction or malfeasance, since there are a nearly infinite number of possible technical problems—from screen misalignment to software glitches—that could cause this kind of behavior. Furthermore, I would expect that if there were a nationwide Republican conspiracy to hack the vote in both Texas and Florida, that they could find a programmer who'd do a better job of hiding the vote fraud than this. So I point it out mainly to notify our audience that these kinds of ominous glitches are already showing up in early voting, and to beg poll workers and election officials across the country to immediately power off and seal any machine that does this, so that it can be forensically examined later.

Problems with Diebold optical scanners

Avi Rubin's blog highlights a major new security study of Diebold's AccuVote Optical Scan (AV-OS) voting machine. Here's part of the abstract:

We present an independent security evaluation of the AccuVote Optical Scan voting terminal (AV-OS). We identify a number of new vulnerabilities of this system which, if exploited maliciously, can invalidate the results of an election process utilizing the terminal. Furthermore, based on our findings an AV-OS can be compromised with off-the-shelf equipment in a matter of minutes even if the machine has its removable memory card sealed in place. The basic attack can be applied to effect a variety of results, including entirely neutralizing one candidate so that their votes are not counted, swapping the votes of two candidates, or biasing the results by shifting some votes from one candidate to another. Such vote tabulation corruptions can lay dormant until the election day, thus avoiding detection through pre-election tests.

Rubin considers the report pretty devastating, and he includes this further tidbit from the report in his blog:

The attacks in this paper are cleverly designed to make a compromised machine appear to work correctly when the system's audit reports are evaluated or when the machine is subjected to pre-election testing. Besides manipulation of the voting machine totals and reports, the authors explain how any voter can vote an arbitrary number of times using (get this), Post-it notes, if the voter is left unattended.

That's right folks: cast multiple votes with a Post-it note. You can find directions for doing so inside the report.

I wonder if the Post-it hack works on optical scanners from other companies. This would be worth finding out, since about 40 percent of votes will be cast using optical scanners on the 7th.

Vote multiple times on a Sequoia machine by holding down the yellow button

By way of finishing off today's litany of positively awful e-voting news, I bring you step-by-step instructions for casting multiple ballots on any Sequoia machine. No computer skills needed; just reach around the back of the machine and hold down the yellow button. Courtesy of BlackBoxVoting.org.

Six years after the Florida fiasco, can you believe this is happening?

Conclusions and some recommendations

If you're upset and outraged by what you've read here, then probably the best thing I can think of for you to do is get involved with the Election Transparency Project. The premise is very straightfoward, and can be summed up like this (in my own words): the mid-term is probably going to be a complete wreck, so the only hope we'll have of sorting through the mess and enacting meaningful reform is if we have the electoral equivalent of the indestructible "black box" that sits inside every airplane and helps the FAA sort out the causes of the crash. The Election Transparency Project is aimed at helping voters do what that black box does, i.e. make a lasting and public record of all the relevant information surrouding each local election (e.g. pre-election testing, conditions at precincts, suspicious activity, etc.).

Our only hope at this point lies in the eyes and ears of each person at the polls, and in ordinary citizens' willingness to confront election officials and demand on-the-record answers to questions about every aspect of their local election. Only with the aid of massive amount of documentation will we be able to sort through the mess on November 8th.

If you're a member of the mainstream media and you've read this summary, here's what I'd like you to take away from it:

No business in America would put someone with no computer expertise in charge of a multimillion dollar information technology (IT) purchase. However, this is precisely what we've done with our election officials. Good, well-meaning but technically naive bureaucrats all over the country have been sold huge, complex, untested computer systems that masquerade as simple "voting machines." These officials have been put in charge of a massive IT procurement project, and they simply are not qualified.

From what I understand, a typical scenario goes something like this: a vendor representative comes in with a demo unit that looks nice and has enough functionality to make it through a closed-door demonstration in front of a technically illiterate audience of county and state election officials, who're wowed by high-tech glitz. In support of the purchase, the vendor produces "test results" and "evaluations" from so-called testing companies that are on the vendor's payroll (see Lou Dobbs' recent reporting on this issue).

What the county officials don't know is that the individual voting machines are basically alpha test units (these officials probably don't even know what an "alpha test" or "beta test" is), and these machines don't really fit together into anything like a fully functional election system. Furthermore, the election officials have no clue how to evaluate a large IT purchase (again, they think they're buying "voting machines" and not networked computers); and they don't have a paid or volunteer staff with enough technical know-how to handle a large-scale IT deployment. What they do have, in the vast majority of cases, is a volunteer army of dedicated but untrained senior citizens, who're given the impossible task of doing support and maintenance for machines that are fragile, finicky, and insecure.

This is what most of us face on November 7th, as we head to the polls in one of the most important mid-term elections in living memory. The stakes have never been higher, and the machinery of democracy has never been in such a state of broken-down chaos.

Postscript for Cuyahoga County

In the wake of the two reports cited above, officials in Cuyahoga County have plans to spend almost $700,000 on poll worker training. But no matter how much money they throw at the problem, they can't turn these volunteers in the kind of security-minded technical wizards that they'd need to be in order to deliver secure, transparent, reliable elections on November 7th.

At every level—from the machines themselves to the vote tabulation and results reporting—the Ohio mid-terms are wide open to malfunction and malfeasance. Nothing can be done about this in under one week.

The only thing that Ohioans can do is go to the polls on mid-term day and observe everything that happens. The more citizen eyes that Ohio has watching and recording the events of the day, the easier it will be to sort out what has happened afterwards. If you live in Ohio and are registered to vote, then please head over to VerifiedVotingFoundation.org and join the Election Transparency Project. This project will help you know what questions to ask your election officials, and what information to record on election day.

Finally, if you have a problem that you'd like to report to the media, please try to find other folks who've had the same problem and who'd be willing to go on record about it. One personal anecdote is not enough to get media coverage of your story; you'll need corroborating evidence from others in order to get the attention of the press. So show up, keep your eyes open, and compare notes afterwards with friends and family.

Good luck, Ohio.