mailing list archives
Now why would they go and do THAT?
From: David Farber <dave () farber net>
Date: Thu, 5 Mar 2009 08:20:01 -0500
Begin forwarded message:
From: Randall Webmail <rvh40 () insightbb com>
Date: March 4, 2009 8:22:15 PM EST
To: johnmacsgroup () yahoogroups com
Cc: dewayne () warpspeed com, dave () farber net
Subject: Now why would they go and do THAT?
Report: Diebold Voting System Has 'Delete' Button for Erasing Audit Logs
By Kim Zetter EmailMarch 03, 2009 | 7:30:17 PMCategories: E-Voting
After three months of investigation, California's secretary of state
has released a report examining why a voting system made by Premier
Election Solutions (formerly known as Diebold) lost about 200 ballots
in Humboldt County during November's presidential election.
But the most startling information in the state's 13-page report
(.pdf) is not why the system lost votes, which Wired.com previously
covered in detail, but that some versions of Diebold's vote tabulation
system, known as the Global Election Management System (Gems), include
a button that allows someone to delete audit logs from the system.
Auditing logs are required under the federal voting-system guidelines,
which are used to test and qualify voting systems for use in
elections. The logs record changes and other events that occur on
voting systems to ensure the integrity of elections and help determine
what occurred in a system when something goes wrong.
"Deleting a log is something that you would only do in de-
commissioning a system you're no longer using or perhaps in a testing
scenario," said Princeton University computer scientist Ed Felten, who
has studied voting systems extensively. "But in normal operation, the
log should always be kept."
Yet the Diebold system in Humboldt County, which uses version 1.18.19
of Gems, has a button labeled Clear, that "permits deletion of certain
audit logs that contain — or should contain — records that would be
essential to reconstruct operator actions during the vote-tallying
process," according to the California report.
The button is positioned next to the Print and Save As buttons (see
image above), making it easy for an election official to click on it
by mistake and erase crucial logs.
In fact, the report says, this occurred recently in a California
county when an official, while attempting to print out a copy of a so-
called "poster log," inadvertently deleted it instead.
The system provides no warning to the operator that clicking on the
button will result in permanent deletion of records in the log, nor
does it require the operator to confirm the action before executing it.
Apparently Premier/Diebold was aware that having a Clear button on its
system was a bad idea. According to California's report, one of the
system's developers wrote in an e-mail in 2001: "Adding a Clear button
is easy, but there are too many reasons why doing that is a bad idea."
Yet the company included the button in its system anyway.
The button was removed from software versions 1.18.20 following, but
Premier/Diebold never went back to jurisdictions using previous
versions to upgrade them, and version 1.18.19 is still used in three
California counties as well as in other states. It's unclear how many
previous versions of the software had the button, or why it was
included in the first place.
According to the report:
The Clear buttons ... allow inadvertent or malicious destruction
of critical audit trail records in all Gems version 1.18.19
jurisdictions, risking the accuracy and integrity of elections
conducted using this voting system. Five years after the company
recognized the need to remove the Clear buttons from the GEMS audit
log screens, not only Humboldt, San Luis Obispo and Santa Barbara
Counties in California but jurisdictions in other parts of the
country, including several counties in Texas and Florida, continue to
use Gems version 1.18.19....
The report states that the inclusion of the button violated the
federal voting-system standards under which the Premier/Diebold system
qualified to be used in elections. The standards require that voting-
system software automatically creates and permanently retains
electronic audit logs of important system events that occur on the
Premier/Diebold did not respond to a request for comment.
The Clear button isn't the only problem with the audit log in the
Premier/Diebold system. Wired.com previously reported other issues
with the logs — for example, they don't record significant events that
occur in the tabulation system, such as when someone deletes votes
from the software.
The California report states that the Clear button and other issues
should have been a red flag to the testing laboratories that certified
the system. The system should have flunked certification-testing and
been banned from the election.
Under the official voting-system standards, "each of the errors and
deficiencies in the Gems version 1.18.19 software described in this
report, standing alone, would warrant a finding ... of 'Total
Failure'," the report concludes.
"Presumably some organization, some lab, looked at this system and
decided they thought it complies with the standard," said Felten.
"And, obviously, they were wrong. Any state that uses Gems should be
looking at this seriously."
It's unclear what the states currently using the Gems system will do
now that they know their voting software does not create an adequate
California's secretary of state has scheduled a public hearing on
March 17 (.pdf) to discuss the report and whether version 1.18.19 of
Gems should be decertified in the state. That would force counties in
the Golden State to upgrade to a different version.
As for addressing the fundamental problems with the audit logs in all
versions of the GEMS software, a spokeswoman for the secretary of
state's office said only that the state sent the report to the federal
Election Assistance Commission to communicate the issue to election
officials in other states.
A spokeswoman for the EAC told Wired.com that the commission has no
authority to address problems with voting systems that were tested and
qualified prior to 2002, when Congress gave the organization oversight
"There's no regulatory action that we could take," said EAC
spokeswoman Jeannie Layson. "But certainly ... [we] make sure that the
test labs and independent reviewers who look at the test reports are
aware of all that information."
The lab that was responsible for testing and qualifying Gems version
1.18.19 with the Clear button is Colorado-based Ciber. In 2007, the
lab was suspended from testing voting systems for not following
quality-control procedures and for failing to document that it was
conducting all the required tests. But the EAC restored the lab's
accreditation to test voting systems last year.
Ciber did not respond to a call for comment about its examination of
the Premier/Diebold system and its approval of the Clear button.
The California report is the result of an investigation into what
occurred in Humboldt County during the November 2008 presidential
After the election, county officials discovered that their tabulation
software had dropped 197 ballots without giving any notice to election
officials that it was doing so. Humboldt uses a Premier/Diebold
central-count optical-scan system. The company acknowledged that a
programming flaw in version 1.18.19 of Gems could drop votes when used
with a central-count scan system, and that it had known about the
problem since October 2004.
Premier/Diebold sent some election officials a workaround at the time,
though Humboldt County election director Carolyn Crnich never received
it. The company also never notified California state officials or the
federal EAC so that election officials around the country could be
The flaw was fixed in May 2005. But until then, the vendor let
jurisdictions use five flawed versions of the software and never
explained the problem or the workaround in user documentation. Diebold
has said that no jurisdiction outside California used these versions
of Gems with a central-count scan system and therefore were not at
risk from the flaw. California officials backed this claim in their
Secretary of State Debra Bowen has sponsored legislation that would
require a voting-machine vendor to notify the state in writing (.pdf)
any time it discovers a problem with its voting system. The vendor
would have to notify the state — and any California jurisdiction using
the voting system — within five working days of discovering a flaw in
software or hardware.
The bill also requires a vendor to disclose any flaws it already knows
about systems that are currently in use in the state. These reports
will then be submitted to the EAC so that officials in other states
will know about them as well. The bill provides for civil penalties of
$10,000 per violation against vendors for undisclosed flaws or for
making unauthorized changes to a voting system.
Kate Folmar, spokeswoman for the secretary of state's office, said
Bowen hopes that the bill, if passed, "could become a model for other
states for dealing with similar anomalies and problems that pop up
with their voting systems."
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com
- Now why would they go and do THAT? David Farber (Mar 05)