http://www.freedom-to-tinker.com/?p=1189August 20th, 2007 by Ed Felten
Two Ohio researchers have discovered that some of the state's e-voting
machines put a timestamp on each ballot, which severely erodes the
secrecy of ballots. The researchers, James Moyer and Jim Cropcho, used
the state's open records law to get access to ballot records,
according to Declan McCullagh's story at news.com. The pair say they
have reconstructed the individual ballots for a county tax referendum
in Delaware County, Ohio.
Timestamped ballots are a problem because polling-place procedures
often record the time or sequence of voter's arrivals. For example, at
my polling place in New Jersey, each voter is given a sequence number
which is recorded next to the voter's name in the poll book records
and is recorded in notebooks by Republican and Democratic poll
watchers. If I'm the 74th voter using the machine today, and the
recorded ballots on that machine are timestamped or kept in order,
then anyone with access to the records can figure out how I voted.
That, of course, violates the secret ballot and opens the door to
coercion and vote-buying.
Most e-voting systems that have been examined get this wrong. In the
recent California top-to-bottom review, researchers found that the
Diebold system stores the ballots in the order they were cast and with
timestamps (report pp. 49-50), and the Hart (report pp. 59) and
Sequoia (report p. 64) systems "randomize" stored ballots in an easily
reversible fashion. Add in the newly discovered ES&S system, and the
vendors are 0-for-4 in protecting ballot secrecy.
You'd expect the vendors to hurry up and fix these problems, but
instead they're just shrugging them off.
An ES&S spokeswoman at the Fleishman-Hillard public relations firm
downplayed concerns about vote linking. "It's very difficult to make a
direct correlation between the order of the sign-in and the timestamp
in the unit," said Jill Friedman-Wilson.
This is baloney. If you know the order of sign-ins, and you can put
the ballots in order by timestamp, you'll be able to connect them most
of the time. You might make occasional mistakes, but that won't
reassure voters who want secrecy.
You know things are bad when questions about a technical matter like
security are answered by a public-relations firm. Companies that
respond constructively to security problems are those that see them
not merely as a PR (public relations) problem but as a technology
problem with PR implications. The constructive response in these
situations is to say, "We take all security issues seriously and we're
investigating this report."
Diebold, amazingly, claims that they don't timestamp ballots — even
though they do:
Other suppliers of electronic voting machines say they do not include
time stamps in their products that provide voter-verified paper audit
trails…. A spokesman for Diebold Election Systems (now Premier
Election Solutions), said they don't for security and privacy reasons:
"We're very sensitive to the integrity of the process."
You have to wonder why e-voting vendors are so much worse at
responding to security flaw reports than makers of other products.
Most software vendors will admit problems when they're real, will work
constructively with the problems' discoverers, and will issue patches
promptly. Companies might try PR bluster once or twice, but they learn
that bluster doesn't work and they're just driving away customers. The
e-voting companies seem to make the same mistakes over and over.
Read Ed Felton's original story for links to original news stories and
reports which reveal how ballot secrecy is not maintained on Diebold
or ES&S voting systems.
http://www.freedom-to-tinker.com/?p=1189