Wednesday, February 03, 2010
New Jersey judge orders voting machines disconnected from Internet as Hawaii looks to hook them up
by Larry Geller
A New Jersey judge has handed down a ruling in a five-year-old battle by voting rights advocates in that state against insecure voting machines. There were several issues resolved, and I’ve highlighted in bold face the sections of this snippet that relate to Hawaii and especially to last year’s Babson v. Cronin lawsuit:
Mercer County Superior Court Judge Linda Feinberg held that New Jersey's 11,000 voting machines have to be re-evaluated by a qualified panel of experts within 120 days to determine whether they comply with NJ law requiring that they be accurate and reliable. Unlike the panel that currently evaluates voting machines, the new panel must have requisite knowledge of computers and computer security.
Judge Feinberg also ordered that all voting machines and vote tally transmitting systems be disconnected from the Internet immediately. Judge Feinberg also required that criminal background checks be performed on personnel who work with voting machines and all third-party vendors who examine or transport the machines. Currently, no such checks are in place. Judge Feinberg further required that a protocol be put in place for inspecting the voting machines to ensure that they have not been tampered with. Judge Feinberg found that the State of New Jersey should no longer leave voting machines unattended in polling places, to prevent tampering. Currently they are left unattended at polling places for up to two weeks before and up to two weeks after each election. [newjerseynewsroom.com, Judge’s ruling could cause New Jersey to scrap 11,000 voting machines, 2/1/2010]
Babson v. Cronin successfully argued that Hawaii could not transmit vote results electronically without administrative rules to permit that. The lawsuit sought to prevent “man in the middle” attacks that could change voting data without anyone being aware of the alteration.
New rules finally became effective in December, 2009. They permit electronic transmission of voting data.
SB2445, introduced but not yet scheduled for a hearing, would ban electronic transmission of votes, if it becomes law. Here’s what it says (snippet):
The legislature finds it is necessary to preserve the integrity and security of our electronic voting systems. This Act will prohibit the use of voting systems that connect to the Internet at any time, that electronically receive or transmit election data through an exterior communication network, including a public telephone system, when the communication originates from or terminates at a polling place, satellite location, or counting center, or that receive or transmit wireless communications or wireless data transfers.
The purpose of this Act is to preserve the integrity and security of our electronic voting systems by prohibiting specific electronic connections, which decreases the possibility that voting information can be manipulated, thereby promoting voter confidence in the electoral process.
The bill has not yet been scheduled for a hearing. To find out how to urge legislators to hear it, see this article.
The second highlight resonates with a Disappeared News article posted on September 23, 2008, Your vote, your identity, at risk on Maui, which included photos of voting machines and supplies left unattended on Maui. Yup, just left there for anyone to meddle with.
There is more to the New Jersey lawsuit. For example, this disturbing revelation:
Plaintiffs' expert witness, Princeton Computer Science Department Chair Professor Andrew Appel, who evaluated the machines, created a fraudulent chip that stole votes and installed that chip in less than 10 seconds. The voting machines could not detect the fraudulent chip.
The New Jersey result is considered mixed because the judge did not order the state to comply with its own 2005 law requiring all voting machines produce a voter-verifiable paper ballot.
New Jersey and other states are backing off on voting computers similar to what Hawaii seeks to employ for future elections. This means that Hawaii may face additional legal challenges in the future.
Our Office of elections promulgated a new administrative rule, §3-172-93 Electronic voting systems; transmission, receipt, and tabulation of votes, that makes electronic transmission of votes legal in Hawaii without security controls. This rule (which has the force of law) says, for example:
Where possible, and to the extent that the voting system’s design permits, data transmission between system components should incorporate the use of digital signatures or encryption to authenticate the data for the particular election.
Authentication by encryption is not generally understood by the general public. It’s possible, using long encryption keys, to be certain of who (or what machine) sent you a message whether it arrived at your desk in the mail, on a floppy disk, via the Internet, or even if Al Capone and his gang broke the door down and dropped it off at gunpoint.
Once you authenticate the “envelope,” any data inside has a known origin. Authentication can be assured to any degree of certainty.
Cool that authentication is in the administrative rules. Not cool that it is all negated by the “where possible” part. In other words, forget it. This office of elections has not protected the electronic transmission of voting data. They know how it should be done, but they won’t do it.
[Side note: the admin rules themselves, posted on the Office of Elections website, are not readable by screen readers for the blind, nor are they searchable. The posting violates Section 508 of the Rehabilitation Act which the website claims it follows.
Reading the rules, they require that there be an instruction card for the electronic voting computers. Again, great for those who are blind or cannot read the cards (sigh).
Finally, the Hart voting computers were first introduced as voting machines for those with disabilities, but their paper record still cannot be read or verified by the blind.]
Back to the subject at hand. If you agree that electronic transmission of votes without authentication is bad policy, please read how you can help the bill get a hearing in the Senate.