Sunday, August 10, 2008
Use of Hart voting computers under fire for entire state, not just for Maui
by Larry Geller
The way things are going with our Office of Elections, I wouldn’t be surprised if the next bit of news were that Jimmy Carter is on his way over here to check out the integrity of Hawaii’s electoral system.
At the bottom of today’s Advertiser story, Voting-machine deal in jeopardy, which mainly concerns the just-out decision by a state hearings officer that Chief Elections Officer Kevin Cronin was in error in awarding the contract to Hart, but that it’s too late to stop the contract for this year, is this description of the Maui lawsuit against Cronin I’ve written about earlier:
Five Maui residents, meanwhile, have sued Cronin and the elections office for failing to adopt administrative rules for using the Hart machines to transmit votes from the Neighbor Islands over telephone lines.
The residents, who want the Neighbor Island results flown to Honolulu on election night, argue that the transmissions could be hacked and votes could be flipped without the public knowing. The lawsuit is before a Circuit Court judge on Maui.
Without administrative rules, it’s not just transmission of votes from Neighbor Islands that’s at issue. Basically, it’s hard to see how the computers could be used at all in Hawaii.
Should the lawsuit succeed, probably there would be a mad scramble to hold public hearings and set up administrative rules of some kind. A hasty process would certainly be detrimental to the interests of democracy in Hawaii. I’ll give you a reference from California that argues against any hasty acceptance of these machines.
The Maui case is proceeding, with the next hearing scheduled for 1:30 p.m. on Wednesday. It’s Civil No. 08-1-0378(3) for those who are able to go over to Judge Cardoza’s courtroom to observe or give support.
One of the plaintiffs, Bob Babson, has been an official elections observer and is deeply concerned about the integrity of the process should the Hart Intercivic machines be adopted. He is not simply trying to shoot the machines down, but rather has expressed detailed concerns and made recommendations. I am not saying that these are related to the current lawsuit, but I’d like to give you a brief idea about his dedication to this issue.
I’ll paraphrase just one point from Bob’s emails, related to how these computers can flip votes, and no one would know it:
The Hart tabulators at the four county count centers are connected to telephone lines so they can transmit votes to the Hart tabulator at the state count center which is also connected to telephone lines.
However, since they are connected to open telephone lines, they could easily be programmed (secretly) to dial … a secret website controlled by Hart where the vote files could be opened and votes flipped and then immediately sent onto the state count center.
Bob correctly points out that we would never know if that has been done.
For anyone who thinks this is just some kind of “conspiracy theory,” here is a longish snippet from a California document, “WITHDRAWAL OF APPROVAL OF HART INTERCIVIC SYSTEM 6.2.1 DRE & OPTICAL SCAN VOTING SYSTEM AND CONDITIONAL RE-APPROVAL OF USE OF HART INTERCIVIC SYSTEM 6.2.1 DRE & OPTICAL SCAN VOTING SYSTEM (December 6,2007 Revision)“:
Whereas, the Hart Source Code Review Team found that the Hart voting system contains design features that can be used in a fashion for which those design features were not intended, including network interfaces that are not secured against direct attack; and
Whereas, the Hart Source Code Review Team found that the Hart voting system's software fails to check the correctness of inputs from other Hart voting system components and uses those inputs in unsafe ways, potentially enabling an attacker to use voting system components to reprogram voting system units throughout the county with malicious code that would affect a subsequent election; and
Whereas, the Hart Source Code Review Team found that the Hart voting system exhibits a notable lack of the use of cryptographic security protocols to secure network communications, and where cryptography is used, a single countywide symmetric key is used that could allow a person to forge ballot information and election results in multiple polling locations; and
Whereas, the Hart Source Code Review Team found that the Hart voting system allows raw ballot records and other information to be used to reconstruct how each voter voted, potentially compromising the secrecy of the ballot; and
Whereas, the Hart Source Code Review Team found that many attacks are hard to detect and correct, defying development and implementation of simple, effective countermeasures; and
Whereas, the Hart Red Team that conducted penetration testing of the Hart voting system discovered multiple vulnerabilities; and
Whereas, on non-polling place components of the voting system that run on a Windows platform, Hart Red Team members located an undisclosed database user name and password and also manually bypassed Hart software security settings so they could run the Hart software in a standard Windows desktop environment, a possible vector for unauthorized access to the voting system's databases; and
Whereas, Hart Red Team members determined that the Hart voting system software fails to check the correctness of inputs from other Hart voting system components; and
Whereas, Hart Red Team members were able to access device-level menus on the Hart eScan precinct-based optical scan unit that should have been locked with passwords, which could allow access for altering voting system configuration settings; and
Whereas, Hart Red Team members confirmed findings from previous studies that allowed malicious actions to be performed on the Hart eScan precinct-based optical scan unit, including altering vote totals, using tools commonly found in an office; and
Whereas, Hart Red Team members were able to demonstrate the ability, after the close of the polls, to use a laptop computer to tamper with a Mobile Ballot BOX-memory device used to record votes cast on the eSlate direct recording electronic voting device, an attack that, if undetected during the tampering, could alter vote totals in a manner not detected by technological safeguards but detectable in a manual recount; and
Whereas, Hart Red Team members found that the Hart voting system allows for remote eavesdropping and capture of the audio narration of a ballot (a feature designed for use by voters with disabilities), potentially violating the secrecy of the ballot
Again, I’m citing this for the purposes of this article, and to give you an idea why it could be a bad idea rushing to adopt any of these voting computer systems without adequate review. I don’t know if this relates to the Maui lawsuit in any way.
The California document would be good reading for our chief elections officer. It also details actions that the California Secretary of State required before the machines could be put back into service. Here’s one, related to the network connectivity weakness:
No network connection to any device not directly used and necessary for voting system functions may be established. Communication by or with any component of the voting system by wireless or modem transmission is prohibited at any time. No component of the voting system, or any device with network connectivity to the voting system, may be connected to the Internet, directly or indirectly, at any time.
If network connectivity, with all its risks, is bad news in California, isn’t it bad news in Hawaii too?
The hearing officer’s order permitting the use of Hart machines in the 2008 elections can be appealed.
Should Judge Cardoza rule against the elections office, that could also stop them.
Speaking of votes, I think we owe a big vote of thanks to Bob Babson and the other plaintiffs and to their attorney Lance Collins for putting this question before a judge. Their lawsuit is not about who gets a contract, it’s about protecting our sacred election system against fraud and manipulation.
Unfortunately, the Judge ruled against the injunction yesterday and in doing so seemed to gloss over much of the hard evidence provided by Babson et al. I'm sure you will hear from Babson himself who will proclaim that the fix in in for any 2008 race the muckedy-mucks want it to be--from McBush on down to local races. And, you know what? He might be right!