[Photo Galleries ][Polls Discussion ] [ Go to Castlebar ] [ The BB Index ] [ Disclaimer ] [Nostalgia Board ] [Roots ]
[NB Refresh for current version and all follow-ups]
Posted by Avi Rubin on March 03, 2004 at 17:37:31:
It is now 10:30 pm, and I have been up since 5 a.m. this morning. Today, I served as an election judge in the primary election, and I am writing down my experience now, despite being extremely tired, as everything is fresh in my mind, and this was one of the most incredible days in my life.
I first became embroiled in the current national debate on evoting security when Dan Wallach of Rice University and I, along with Computer Scientist Yoshi Kohno and my Ph.D. student Adam Stubblefield released a report analyzing the software in Diebold's Accuvote voting machines.
Although there were four of us on the project, perhaps because I was the most senior of the group, the report became widely associate with me, and people began referring to it as the "Hopkins report" or even in some cases the "Rubin report". I became the target of much criticism from Maryland and Georgia election officials who were deeply committeed to these machines, and of course, of the vendor. The biggest criticism that I received was that I am an academic scientist and that academics do not "know siccum" about elections, as Doug Lewis from the Election Center put very eloquently.
While I dispute many of the claims that computer scientists working on e-voting security analysis are deficient in their knowledge of elections, I realized that there was only one way to stifle this criticism, and at the same time to perform a civic duty. I volunteered to become an election judge in Baltimore County. The first step was to get signed up. I filled out a form at a local grocery store and waited for a call from the Baltimore County Board of Elections. The call never came. So, I called up the board and spoke with the head of elections and found out that there was a mandatory training session a couple of days later. I got on to the list for the training, and I attended. There, I learned that my entire county would be voting with Diebold Accuvote TS machines, the very one that we had analyzed in our report. It was an eery feeling as I trained for 2 hours on every aspect of using the machine and teaching others how to use them. Afterwards, I received a certificate signed by the board of elections and became a qualified judge. I was supposed to receive a phone call within a few days assigning me to a precinct, but I did not. So, I called up the board of elections and spoke with the same woman, who assigned me to a precinct at a church in Timonium, MD, about 15 minutes from my house.
I reported to my precinct at 5:45 a.m. this morning. Introductions began, and I immediately realized that it would not be a normal day. There are two head judges, one from each party. There were also seven other judges. The head judges were Marie (R) and Jim (D). Both of them mentioned that they read about me in the paper that morning, and were pretty cold towards me. It turns out that the Baltimore Sun ran a story today about my being an election judge. In there, I'm quoted as saying that the other judges in my training were in the "grandparent category" with respect to their age. My colleagues for the day, who were in that category as well, did not appreciate the barb and were ready to spar with me.
There are three types of judges besides the head judges. There are four book judges, one from each party with A-K and one from each party with L-Z. There is one judge assigned to provisional ballots, and a couple of unit judges charged with assigning voters to particular machines. I was the L-Z democrat book judge, along with Andy, a grandfather of many, a staunch Republican, and a fellow I grew very fond of as the day went on. To my left were Anne, the Republican judge married to Andy, and Sandy. Actually, there were two Sandys. One began as a unit judge, but early on switched with the other Sandy to be the democratic book judge on A-K. Bill was the provisional judge, and he is married to head judge Marie. And then there was Joy. One of the Sandys, Joy and I were the three younger judges who did not fit into the grandparent category.
Joy was by far the most knowledgeable about the election. She had trained dozens of groups on the Diebold machine, and she knew all of the procedures inside and out. The head judges deferred to Joy on just about every major issue that came up. She knew our manuals by heart, and we were very lucky to have her there. In reality, all of us helped with all of the jobs, but we had our default assignments.
The job of the book judge is to look up each voter in a card deck and find their registration card. If there wasn't one, then there were procedures for handling them. Once we found the card, we cross checked it with our roll booklet. For the most part this process went smoothly. I wore a string around my neck with a little electronic sleave on the end. After a voter was verified as registered, I slid a smartcard into the sleave and pushed a few buttons to designate whether or not this voter should receive a Democrat or Republican ballot, based on their registration, and there was also an option for specifying magnification of the ballot on the screen, or even audio for blind people.
From 6-7 a.m., we set up the voting booths. We had to unplug all of them because they were facing the wrong way. We then rearranged them and plugged them back in. Each machine has a 5 hour battery, so this process went without a hitch. Pretty much all of the judges knew who I was and what my role has been as a very public critic of electronic voting and Diebold in particular. At around 6:30, representatives from Diebold arrived, and although my badge said "Avi" on it, I heard them refer to me as Professor Rubin, so I knew that they knew exactly who I was. In fact, some of the very senior Diebold executives who I recognized showed up, which makes me think that they knew I would be there, perhaps based on the Baltimore Sun article.
At 7 a.m., we opened the polls, and head judge Jim cast the first vote, to a round of applause from all of us. Voters trickled in, but at a slow pace. I felt some hostility from my fellow judges. This was not helped by what transpired next. A TV crew from Fox News showed up at the polls and asked the head judge if they could interview me. The head judge called a "super" judge at the county and came back and said no. The reporter asked to speak to the super judge, named Jackie, and was obviously not getting anywhere. She left rather angry, with a nasty exchange with head judge Jim and some unpleasant words with head judge Marie. I felt very uncomfortable. At that moment, there were no more voters in the room, and I offered to everyone in the room that I was not here to pull a publicity stunt, and that I would agree not to speak with any reporters throughout the day. This was a serious responsibility and duty that I took with the utmost respect for the system, and I would not let it turn into a mockery. A few minutes later, though, a photographer from the Baltimore Sun showed up with a reporter in tow. The same routine happened, only this time, they allowed the photographer to take pictures of me working and checking in voters and programming smartcards. However, they would not let the reporter talk to me. An angry exchange ensued, and when he left, I felt that tempers were pretty hot.
Once again, I reiterated my intensions of being nothing more than an objective judge today. The situation was worsened when one voter had a problem with his card which the voting machine spit out. He was given a new card, but I was concerned, and so I asked head judge Marie to count the ballots and check them against the count in the machine after he left. She did, and the count was fine. The smartcard really had failed and it was fixed. However, I overheard head judge Jim complain to Joy that I had made a big deal about that incident because the Baltimore Sun reporter was there. That was not true. It was a coincidence.
Over the next several hours, we all were busy checking in voters and dealing with running the election. Everybody calmed down, and we started joking around with each other and the mood became more positive. We only had one other minor press incident during the day. During breaks, I decided to educate Marie and Joy about the security problems of electronic voting machines. Amazingly, they really started to get it. They confessed that they had been ready to fight me, and that there was great animosity towards me, but that, in their words, I wasn't "such a bad guy after all". At the same time, I started realizing that some of the attacks described in our initial paper were actually quite unrealistic, at least in a precinct with judges who worked as hard as ours did and who were as vigilant. At the same time, I found that I had underestimated some of the threats before. I think that being an election judge was the best thing I could have possibly done to learn about the real security of elections.
In our paper, we described how the smartcards used by these machines had no cryptography on them, and we made the widely criticized claim that a teenager in a garage could manufacture smartcards and use them to vote 20 times. I now believe that this particular attack is not a real threat -- at least not in the primary I worked today. We had 9 judges and 5 machines. Whenever a voter took what seemed to be too long, we always had a judge ask them if they needed help, or if something was wrong. Also, the machines make a loud clicking sound when the smartcard is ejected, and we almost always had a judge standing there waiting to collect the card and give the voter a sticker, as they are ushered out.
In general, multiple voting attacks during the election are not likely to work in a precinct such as the one where I worked. Every hour or so, we counted all of the voter authorization cards (different from the smartcards), which were in an envelope taped to the machine, and compared them to the number of votes counted by the machine so far. I believe that if any voter somehow managed to vote multiple times, that it would be detected within an hour. I have no idea what we would do in that situation. In fact, I think we'd have a serious problem on our hands, but at least we would know it.
Every hour, we also counted the totals on the machines and compared them to the totals in the registration roster that we used to check people in. I was amazed at the number of countings and pieces of paper that we shuffled throughout the day in what was billed as a paperless electronic election.
There were also some security issues that I found to be much worse than I expected. All of the tallies are kept on PCMCIA cards. At the end of the election, each of those cards is loaded onto one machine, designated as the zero machine. (I found it interesting that Diebold numbered the machines 0 through n-1, disproving my notion that they don't have anyone on board who knows anything about Computer Science.) The zero machine is then connected to a modem, and the tallies are sent to a central place, where they are incorporated with the tallies of other precincts. In our case, the phone line was not working properly, so we went to the backup plan. The zero machine combined all the tallies from the PCMCIA cards that were loaded one at a time onto the machine. It then printed out the final tallies. One copy of that went onto the outside door of the building where there were talliers and poll watchers eagerly waiting. The other was put into a pouch with all of the PCMCIA cards, each wrapped in a printed tally of the machine to which it corresponds, and that pouch was driven by the two head judges to the board of elections office.
The security risk I saw was that Diebold had designated which machine would be the zero machine, and at one point, all of the vote tallies were loaded onto that one machine in memory. That would be the perfect point to completely change the tallies. There is no need to attack all of the machines at a precinct if someone could tamper with the zero machine. In fact, even when the modem is used, it is only the zero machine that makes the call. In the code we examined, that phone call is not protected correctly with cryptography. Perhaps that has been fixed. I was glad to see that the administrator PIN actually used in the election was not the 1111 that we used in our training, and that we had seen in the code.
One thing absolutely amazed me. With very few exceptions, the voters really LOVED the machines. They raved about them to us judges. The most common comment was "That was so easy." I can see why people take so much offense at the notion that the machines are completely insecure. Given my role today, I just smiled and nodded. I was not about to tell voters that the machines they had just voted on were so insecure. I was curious that voters did not seem to question how their votes were recorded. The voter verifiability that I find so precious did not seem to be on the minds of these voters. One woman did come up to Joy and complain that she wanted a paper ballot to verify. But, Joy managed to convince her that these machines were state of the art and that there was nothing to worry about, which was followed by a smile and a wink in my direction. I just kept quiet, given the circumstances. As an election judge, my job is to make the election work as well as possible, and creating doubts in the voters' minds at the polls does not figure into my idea of responsible behavior. Perhaps the lightest moment in the day came when one voter standing at his machine asked in the most deadpan voice, "What do I do if it says it is rebooting?" Head judge Marie turned white, and Joy's mouth dropped. My heart started to beat quickly, when he laughed and said "just kidding." There was about a two second pause of silence followed by roaring laughter from everyone.
I found the reaction to that joke interesting. Everybody was willing to believe that this had happened, and yet when it became clear that it didn't, we all felt relief. I'm sure that the other judges would have claimed that this was impossible, and yet, for a brief instant, they all thought it had happened.
There were a few unusual moments related to my previous work on e-voting. Several people recognized me from TV appearances and from the paper. Yesterday, I was on two CNN shows and the local ABC station criticising Diebold's voting machines, and last week, I was on the Today show and on TechTV. One voter who I was checking in, leaned over and said, "I know who you are." I just smiled. Then he asked me if he should even bother voting, and if I thought the machines would "hold out". I answered that my views were well known, but that today I was an election judge. Another voter asked me, "Aren't you that hacker guy?"
In the beginning of the election, we printed a "zero tape" of each machine. I found this to be the kind of charade that a confidence man would play when performing some slight of hand. So, the machines printed each candidates name with a zero next to it. Somehow, that is supposed to mean that there are no votes counted on the machine? I don't know. I think I could write a five line computer program that would print the zero tally, and I don't see how that ties into the security of the election. In fact, that was not the only procedure that I thought served more as eye candy than real security. For example, the process for collecting the smartcards was for the unit judge to take the card from the voter and put it on a piano that was across the room. Every 15 minutes or so, the unit judge would take the cards and give them back to us book judges. When a Diebold rep showed up, I asked her about this, and she said that it was done to give the voters a sense that nothing was being kept on the smartcards about their voting session. After my experience today, I can say with total confidence that this would not have ocurred to any of the voters we had.
There was a very funny moment around 2:00 in the afternoon. A voter complained that she was a Democrat but had been given the Republican ballot. This required both head judges to void the ballot. It turned out that this had been my mistake when I coded the smartcard. In fact, I was the only one the entire day who made such a mistake. The less than young judges had a good time constantly reminding me of who the careless judge was at this election. One of them commented to me that there are many young people who are incompetent and many old people who can manage an election just fine, thank you.
I continue to believe that the Diebold voting machines represent a huge threat to our democracy. I fundamentally believe that we have thrown our trust in the outcome of our elections in the hands of a handful of companies (Diebold, Sequoia, ES&S) who are in a position to control the final outcomes of our elections. I also believe that the outcomes can be changed without any knowledge by election judges or anyone else. Furthermore, meaningful recounts are impossible with these machines.
I also believe that we have great people working in the trenches and on the front lines. These are ordinary people, mostly elderly, who believe in our country and our democracy, and who work their butts off for 16 hours, starting at 6 a.m. to try to keep the mechanics of our elections running smoothly. It is a shame that the e-voting tidal wave has a near hypnotic effect on these judges and almost all voters. I believe that after today's experience, I am much better equipped to make the arguments against e-voting machines with no voter verifiability, but I also have a great appreciation for how hard it is going to be to fight them, given how much voters and election officials love them.
We were not allowed to use cell phones or access email all day. On my way home from the polls, I called my voicemail at work. I had messages and requests for interviews from ABC News, the Baltimore Sun, the Washington Post, Wired News, CNN, several radio stations and the New York Times. So, this issue is not going away. Over the next few days, I'll be discussing my experience and probably sparring with the usual suspects in the various media outlets. My biggest fear is that super Tuesday will be viewed as a big success. By all accounts, everyone at my precinct felt that way. The more e-voting is viewed as successful, the more it will be adopted, and the greater the risk when someone decides to actually exploit the weaknesses of these systems.
It's now almost midnight, and I've been up since 5:00 a.m. I'm falling asleep as I type this, so I will end here. Good night.