*** Democracies Online Newswire - http://e-democracy.org/do *** *** See something? Send submissions to: [EMAIL PROTECTED] ***
P.S. There is a new e-list for international e-voting discussions <http://groups.yahoo.com/group/upa-evoting/> from the UK Usability Professionals Association <http://www.upassoc.org/upa_projects/voting_and_usability/index.html>. Their list description: A group dedicated to discussion of the use of technology in voting. Includes e-participation, but excludes issues related to e- government. Particular interests include usability, accessibility and security, but the list seeks to promote a holistic approach to further the body of knowledge about voting, regardless of discipline. The list aims to be international in approach, and in particular to bring European and other non-US experience into the debate. To subscribe, e-mail: [EMAIL PROTECTED] More e-voting links: http://publicus.net/articles/edemresources.html Fears of more US electoral chaos after flaws are discovered in ballot computers http://news.independent.co.uk/world/americas/story.jsp?story=453116 All the President's Votes? From: http://news.independent.co.uk/world/americas/story.jsp?story=452972 ... First, they wanted to know if the software had undergone adequate checking. Under state and federal law, all voting machinery and component parts must be certified before use in an election. So an Atlanta graphic designer called Denis Wright wrote to the secretary of state's office for a copy of the certification letter. Clifford Tatum, assistant director of legal affairs for the election division, wrote back: "We have determined that no records exist in the Secretary of State's office regarding a certification letter from the lab certifying the version of software used on Election Day." Mr Tatum said it was possible the relevant documents were with Gary Powell, an official at the Georgia Technology Authority, so campaigners wrote to him as well. Mr Powell responded he was "not sure what you mean by the words 'please provide written certification documents' ". "If the machines were not certified, then right there the election was illegal," Mr Wright says. The secretary of state's office has yet to demonstrate anything to the contrary. The investigating citizens then considered the nature of the software itself. Shortly after the election, a Diebold technician called Rob Behler came forward and reported that, when the machines were about to be shipped to Georgia polling stations in the summer of 2002, they performed so erratically that their software had to be amended with a last-minute "patch". Instead of being transmitted via disk - a potentially time-consuming process, especially since its author was in Canada, not Georgia - the patch was posted, along with the entire election software package, on an open-access FTP, or file transfer protocol site, on the internet. That, according to computer experts, was a violation of the most basic of security precautions, opening all sorts of possibilities for the introduction of rogue or malicious code. At the same time, however, it gave campaigners a golden opportunity to circumvent Diebold's own secrecy demands and see exactly how the system worked. Roxanne Jekot, a computer programmer with 20 years' experience, and an occasional teacher at Lanier Technical College northeast of Atlanta, did a line-by-line review and found "enough to stand your hair on end". "There were security holes all over it," she says, "from the most basic display of the ballot on the screen all the way through the operating system." Although the programme was designed to be run on the Windows 2000 NT operating system, which has numerous safeguards to keep out intruders, Ms Jekot found it worked just fine on the much less secure Windows 98; the 2000 NT security features were, as she put it, "nullified". Also embedded in the software were the comments of the programmers working on it. One described what he and his colleagues had just done as "a gross hack". Elsewhere was the remark: "This doesn't really work." "Not a confidence builder, would you say?" Ms Jekot says. "They were operating in panic mode, cobbling together something that would work for the moment, knowing that at some point they would have to go back to figure out how to make it work more permanently." She found some of the code downright suspect - for example, an overtly meaningless instruction to divide the number of write-in votes by 1. "From a logical standpoint there is absolutely no reason to do that," she says. "It raises an immediate red flag." Mostly, though, she was struck by the shoddiness of much of the programming. "I really expected to have some difficulty reviewing the source code because it would be at a higher level than I am accustomed to," she says. "In fact, a lot of this stuff looked like the homework my first-year students might have turned in." Diebold had no specific comment on Ms Jekot's interpretations, offering only a blanket caution about the complexity of election systems "often not well understood by individuals with little real-world experience". But Ms Jekot was not the only one to examine the Diebold software and find it lacking. In July, a group of researchers from the Information Security Institute at Johns Hopkins University in Baltimore discovered what they called "stunning flaws". These included putting the password in the source code, a basic security no-no; manipulating the voter smart-card function so one person could cast more than one vote; and other loopholes that could theoretically allow voters' ballot choices to be altered without their knowledge, either on the spot or by remote access. Diebold issued a detailed response, saying that the Johns Hopkins report was riddled with false assumptions, inadequate information and "a multitude of false conclusions". Substantially similar findings, however, were made in a follow-up study on behalf of the state of Maryland, in which a group of computer security experts catalogued 328 software flaws, 26 of them critical, putting the whole system "at high risk of compromise". "If these vulnerabilities are exploited, significant impact could occur on the accuracy, integrity, and availability of election results," their report says. Ever since the Johns Hopkins study, Diebold has sought to explain away the open FTP file as an old, incomplete version of its election package. The claim cannot be independently verified, because of the trade-secrecy agreement, and not everyone is buying it. "It is documented throughout the code who changed what and when. We have the history of this programme from 1996 to 2002," Ms Jekot says. "I have no doubt this is the software used in the elections." Diebold now says it has upgraded its encryption and password features - but only on its Maryland machines. ... ^ ^ ^ ^ Steven L. Clift - W: http://www.publicus.net Minneapolis - - - E: [EMAIL PROTECTED] Minnesota - - - - - T: +1.612.822.8667 USA - - - - - - M: +1.612.203.5181 Join my Democracies Online Newswire: http://e-democracy.org/do My blogging experiment: http://travelscoops.com *** Past Messages, Discussion http://e-democracy.org/do *** *** To subscribe, e-mail: [EMAIL PROTECTED] *** *** Message body: SUB DO-WIRE *** *** To UNSUBSCRIBE instead, write: UNSUB DO-WIRE *** *** Please send submissions to: [EMAIL PROTECTED] ***
