1. Will Your Vote Count?

2. GPS/Navigation Follow-up

1. WILL YOUR VOTE COUNT? - "Hanging chads" aren't the only problem

At the last election, my family and I had a disturbing experience -- one that left us wondering how secure our voting system really is. The story has two parts: one about the people side and one about the technology side of the equation.

On the people side, there was a real snafu in the process that could have led to allowing people to vote more than once or allowing unauthorized voters to vote. On the technology side, there was an automated voting system that had no physical backup or 'receipt' to show you what your vote was. Both of these possibilities undermine the democratic process.

The people side

As you probably know, voters must "sign-in" at the polling place so that their voting status can be verified. At our polling place, your name is checked off two lists and you sign the register showing that you appeared to vote. Once this verification process has been completed, you then stand in a second line waiting to actually vote. The process is designed to first validate that you are eligible to vote and that you haven't voted before you can vote.

When our family arrived at the polling place, we saw a long line stretching out the door. The actual polling place was a small room at the back of our local recreation center. I had voted earlier, but wanted to accompany my wife and younger son who was voting for the first time. Once they had signed in, we were directed to go to the end of the line -- outside the polling room -- and wait their turn to vote. The end of the line was completely removed form the view of the polling officials; no one could see what was happening there. My wife and I immediately saw the problem and objected to the polling station workers that we would be out of their sight and that meant that anyone could stand in the line and vote or that someone could vote twice. They assured use that everything was OK and that, in any case, they would "...recognize us if we tried to vote twice."

Following their instructions we went to the back of the line, waited our turn, and my wife and son voted. However, I was offered the opportunity to vote, even though I had already done so much earlier in the day (!). I pointed out that I had already voted. Of course, the worker who had been so sure that she would "recognize us" had no clue, even though I had spoken to her just several minutes earlier.

Needless to say, we immediately called the Registrar's Office and filed a very strong complaint. Unfortunately, no one really seemed to understand the gravity of the situation, and it took several calls to galvanize a response. The response that my wife received from the Registrar's Office was marginally reassuring, although there was agreement that the process of forming two lines was a serious error.

The technology side

Our previous (manual) voting system had just been replaced with an automated, touch-screen system -- everything looked clean, neat, and efficient. The system had clear instructions, was easy to use, and seemed to be well implemented, at least on the surface.

The one glaring omission was the complete lack of a paper audit trail. In other words, you entered your vote and it went into the system, but you received absolutely no confirmation -- in the form of a printed receipt -- that your vote was entered correctly. Furthermore, we learned that there is absolutely no paper trail anywhere in the system, not even for the Registrar's Office to keep in case there are questions about the vote! As a computer professional, this is an appalling lack, and one I believe that threatens one of the basic tenets of democracy -- the right to a free and accurate voting process.

I know that the fear and loathing created by Florida's "hanging chad" situation is leading us away from the traditional voting systems -- and that's a good thing. But we have to be vigilant lest we throw out the baby with the bath water.

Here's why.

First, and most importantly -- NO COMPUTER SYSTEM IS FOOL-PROOF... PERIOD. Anyone who claims that their system cannot fail (is "bullet-proof") is (a) totally misinformed or (b) trying to fool you or (c) ingesting a mind-altering substance. If you have a technology background, you know what I mean. If you don't, just think about it.

• A huge amount of time, money, and energy is spent "debugging" programs, i.e., testing and fixing to get the errors out. In spite of all that effort, we can't get all the errors out. For example, one version of Microsoft Windows was reported to have shipped with over 10,000 known bugs (errors).
• The sheer magnitude and complexity or today's programs make guarantees of 100% bug-free software a joke. If you have a system with 10 million lines of code (or software instructions), the number of possible combinations inherent in the program make it physically impossible to test every possible combination in our lifetime, even with the world's fastest computers. Thus, companies and people that develop today's software programs make educated guesses as to what should be tested and what they can ignore... hoping that they guess right.
• If programs could be made fool-proof, then there wouldn't be hackers, there wouldn't be reports of credit card theft, there probably wouldn't even be spam because we'd have perfect software that did exactly what we wanted every time.

Listen to what Microsoft itself says about computer bugs:

The key phrase here is "effective risk management" -- putting safeguards in place in the likely event that someyhing fails to operate as expected.

Second, even if the software were perfectly made (impossible), there is still the possibility that someone inside the company could compromise the system. Many of the stories of computer problems have been the result of trusted employees who couldn't resist making changes to the system to their benefit. There's the classic story of a programmer back in the days of large mainframe systems who worked on a bank's demand deposit (checking) system. When internal calculations are made (such as for adding interest) there is almost always a small "rounding" error; that is, the interest calculation doesn't actually come out to an exact dollars and cents figure. For example, 5% or $500 is exactly $25.00, but 5% of 525.17 is $25.25 with .85 cents left over. Where does that .85 cents go? Well, it usually was ignored, but this programmer modified the program to add those less that one penny differences to his own bank account. He was caught with about $300,000 in his bank account. The same thing could happen with a politically-motivated employee. One possibility: just take the voters who abstained from voting and add that vote to the candidate of their choice. There are a myriad of other possibilities.

What is very interesting (and scary) is that people seem to take the assurances of the voting system vendors at face value when they claim that their software is "bullet-proof".Since there's no such thin

Finally, there needs to be some form of backup. How do you perform a recount in a system where there is only an electronic image of your vote? Do you just add up the same numbers and come up with the same results and call it a recount? At least with a paper trail, one could count the paper copies and validate the results.

I've been thinking about this issue for some time now, planning to write an article raising these questions. Fortunately, researchers at Johns Hopkins University were able to analyse some of the source code from a version of an election tally system offered by Diebold Systems, one of the contenders in this very important area. They list a number of "significant and wide-reaching security vulnerabilities", including:

• "Voters can easily program their own smart cards to simulate the behaviour of valid smart cards used in the election. With such homebrew cards, a voter can cast multiple ballots without leaving any trace.
• "A voter can also perform actions that normally require administrative privileges, including viewing partial results and terminating the election early.
• "Similar undesirable modifications could be made by malevolent poll workers (or even maintenance staff) with access to the voting terminals before the start of an election.
• "Furthermore, the protocols used when the voting terminals communicate with their home base, both to fetch election configuration information and to report final election results, do not use cryptographic techniques to authenticate the remote end of the connection nor do they check the integrity of the data in transit. Given that these voting terminals could communicate over insecure phone lines or even wireless Internet connections, even unsophisticated attackers can perform untraceable "main-in-the-middle" attacks."

Their report goes on to say:

• "Cryptography, when used at all, is used incorrectly.
• "More generally, we see no evidence of rigorous software engineering discipline. Comments in the code and the revision change logs indicate the engineers were aware of areas in the system that needed improvement.
• "We also saw no evidence of any change-control process that might restrict a developer's ability to insert arbitrary patches to the code. Absent such processes, a malevolent developer could easily make changes to the code that would create vulnerabilities to be later exploited on Election Day."
• "When programming in an unsafe language like C++, programmers must exercise tight discipline to prevent their programs from being vulnerable to buffer overflow attacks and other weaknesses. Indeed, buffer overflows caused real problems for AccuVote-TS systems in real elections." [Editor's Note: A 'buffer overflow attack' is one where the attacker sends a very long string of data to the program -- longer than provided for by the program -- and this long string of data 'overflows' or exceeds the area where the programmer stores the data. This effectively modifies the program and allows the attacker to take over the program. Buffer overflows are notorious in the computer industry and are the cause of a large number of the virus, worm, and other security attacks which have received media coverage.]

Read the Johns Hopkins' report yourself; also, check out the original response by Diebold. [Editor's Note: This morning, 7/29/2003, I tried this link and found it. This afternoon, it now shows as "Not Found". They have updated their web site with a new response. It is interesting to note that one of Diebold's claims in their updated rebuttal states that the report: "Failed to recognize that both federal and state election training procedures are designed to ensure the integrity of elections, regardless of the voting technology. Of course, that didn't happen, as reported in the first part of this article.]

Diebold attempts to counter these arguments in their rebuttal report. The extent of the rebuttal really boils down to claiming that Johns Hopkins report:

• Looked at only a small portion of the code [that's all they had]
• Ran it on a device that the system was not designed to operate on [true, but doesn't necessarily rebut the findings]
• Attributed operating system weaknesses that didn't apply [there are always bugs in any operating system]
• Failed to consider that extensive tests had been run [software professionals know that all the testing in the world can't guarantee that every error has been eliminated]
• Didn't understand how voting process works [from my own experience, I know that the voting process doesn't always work well or as expected]
• Completely ignored election protocol [so did the polling workers in our case]
• Failed to recognize training procedures designed to preclude problems [training didn't help the polling workers at our precinct]
• Didn't understand the the voting system don't have standard PC keyboards or disk drives [partially true, but clever attackers find ways to defeat systems. And Diebold themselves say that this eliminates "much of the easy access", but don't claim that it solves the problem]
• Cited Microsoft Windows problems that don't apply [attackers can break into private communications networks, too]

Once you've read both reports, I think you'll agree that something needs to be done to ensure that our vote really counts! There is an article in the San Jose Mercury News, 7/29/2003, which covers this issue, and from which I gained much of the specific contact information referred to here.

I should note that our Registrar of Voters pointed out that giving a hard copy to the voter to take out of the polling place could lead to buying the vote. However, the Registrar did not address the option of allowing the voter to view the receipt and then filing it in a secured container to be used for recounts, if necessary. Such verification of the vote would preclude votes that were made in error because of confusion, for example.

So, what else can you do?

• If you live in California, there is a very small window of opportunity to provide input to the administration. Secretary of State Kevin Shelley has the authority to require voting system vendors to implement safeguards such as a paper copy (as you might imagine, there is resistance to this approach, probably because it will cost money to implement). Shelley is accepting public comments UNTIL AUGUST 1, 2003 (I know, I know, that's not a lot of time). Read the Ad Hoc Touch-Screen Task Force Report for more information; it was published on July 2, 2003. Send comments to:

• If you live in any other state, check with your state government and see if there are similar initiatives going on where you live.
• Get active. It's clear that this area (like many others) needs input from technologists who are not guided simply by the technology but who understand the people issues that ALWAYS surround technology.
• If you have information about what's going on in this area, please send me information -- you can use the form below to let me know what you've learned. Time permitting, I'll follow up with more information on this very important subject.

Stay vigilant!

2. GPS/NAVIGATION FOLLOW-UP - Unexpected benefits!

I've been using my new GPS/Navigation system for several months (and almost 14,000 miles :) now and all I can say is "I love it -- most of the time!" Even though I'm very good at finding my way around places, the GPS makes it incredibly easy to get anywhere I want to go... no sweat, no hassle, no getting lost and having to retrace my steps.

It's true that the Navigation system sometimes doesn't pick the most efficient route: it often will take a much more round-about route than is necessary. This happens particularly at the end of the travel: rather than going straight for 3 blocks and turning right for 1 block, it will direct me to go right for 6 blocks, turn left for 3 blocks, and then left again for 5 blocks. On one occasion, it had me go down the freeway for 2 miles beyond my turnoff, do a loop-ti-loop and get back on the freeway and come back to the exit! Strange. The only thing I can postulate is that the exit or road was closed when they entered the data into the DVD that is the memory bank of the system, particularly since it happens every time I take those particular routes. I've learned (been trained?) to check the route in advance to see if it's making one of those strange loops and just adjust my travel and let the system catch up with me.

However, that's all trivial, since it does get me where I want to go.

The most wonderful -- and unanticipated -- part of the GPS experience is that I discovered that what I have is a telephone book for the entire United States in my car, with a reasonably effective search engine at my fingertips. So... I'm at a strange location waiting for my son's soccer game to start and I want a latte. Easy! I punch "Places", "By Name", type in S-T-A-R-B-U-C-K-S and Voila! I see that there is one 1.31 miles away off to my right and another one 2.18 miles back and to my left. Now that's convenience. If I need gas, I just punch in C-O-S-T-C-O or C-H-E-V-R-O-N and again I'm in business. If I want to find a restaurant, I can type it in by name or look for a particular kind of food (I'm partial to Thai restaurants) and it's all right there -- often along with phone numbers so that I can even call ahead.

Now, there is a downside (there always is with technology or the supporting elements). The data entry is inconsistent, so "Starbucks" could be simply "Starbucks" or "Starbucks Cafe" or "Starbucks Coffee Co" or ... There's no way -- in my system, at least -- to get every possible "Starbucks" in a list: you have to help the system out by trying several different possibilities. If you give up too soon, you'll miss one right next door.

Could it be better? Absolutely!

Do I love it? You betcha!

.