Trust The Computer, Citizen

You know, after the whole vote-counting debacle in Florida in 2000, you would think that one thing you could probably count on would be that managing the voting process in one of the most prosperous and well-educated counties in the United States would be a responsibility that would not be completely turned over to drooling idiots and morons.

Well, in Fairfax County, Virginia, at least, you’d be wrong!

The new touch-screen voting machines that Fairfax County and other jurisdictions have spent millions of dollars to acquire are hailed by elections officials for their speedy tabulations, their wireless transmission capability and their simplicity for voters.
But recent warnings from computer scientists at Johns Hopkins University and elsewhere that the new equipment is vulnerable to viruses and other electronic attacks have some officials acknowledging that they did not completely understand what they were getting into when they signed the purchase orders.
“The technology changes so quickly that we are finding it a challenge trying to stay on top of security,” said Jean R. Jensen of the Virginia State Board of Elections. “We are just trying to keep up with the game.”…
The state hired Britain J. Williams, a professor emeritus at Kennesaw State University and longtime election consultant, to ensure that the devices complied with state codes. Williams said he did not study their vulnerability to hackers, nor was he required to do so.
Fairfax elections officials said the system won them over with its sophisticated, convenient and easy-to-use features. “Security wasn’t really the deciding factor,” said county election manager Judy Flaig. [emphasis mine] The system has some high-tech features: Blind voters, for example, can put on headsets and have the ballot read to them by a digital voice. The WINvote machines tally votes in seconds, using a wireless network protected by a security program known as Wired Equivalent Privacy.
But the program is easily hacked, said Johns Hopkins computer scientist Aviel Rubin; how-to instructions are available to the public, he said. And even if the wireless system is used only after the polls close, viruses can be made to wait until the network is turned on and then wipe out or tamper with the numbers…
“They keep saying, ‘Well, in theory you can do stuff,’ ‘Well, in theory you can this or that.’ It makes good John Grisham novels; it makes good spy stories. But to do this stuff on a large scale is nearly impossible,” Flaig said. “You have to trust the system at some point.” [Again, emphasis mine]

OK, so let’s review. First thing: unless she has been flagrantly misquoted, Fairfax County election manager Judy Flaig is a dangerous incompetent who should be removed from office immediately. How the hell can you be in charge of a balloting process and say that the integrity of the ballots is isn’t a priority? How can you dismiss the concerns of experts in the field of computer security with a wave of the hand and a tart remark about John Grisham fantasies when you freely admit that you know nothing about the issue yourself and have done no research of your own? And when confronted with her own ignorance she just retreats back into some kind of bizarre faith-based fantasy where if we all just “trust the system” then everything will all just be all right. Yeah, because nobody has ever tried to stuff a freaking ballot box before.

Ms. Flaig sounds like someone who got dazzled by a nifty PowerPoint and didn’t bother asking too many inconvenient questions afterwards, like “Does your product make it possible for a pimply fifteen-year-old with an iBook to change the results of an election?” You know, little things like that. Jesus, what a moron.

(If you live in Fairfax County, you can get phone numbers and e-mail addresses for Ms. Flaig’s bosses, the County Electoral Board and General Registrar, from their Web site; I encourage you to give them a call and ask them to inquire with Ms. Flaig what “features” she finds more compelling than being able to guarantee the accuracy of election results. I’m sure they’d be as interested to know as we would be.)

Second, the Fairfax County election board just spent $3.5 million of the taxpayer’s money for a system that they cheerfully admit they don’t understand. The Post article made me curious about whether this company, Advanced Voting Solutions, is as big a collection of ripoff artists as they seem, so I took a look at their site to see what they had to say about their WINVote product — the one Fairfax County just bought into. They’ve got four pages describing the benefits of the WINVote system, but not a single mention of any security measure — except for some hand-waving about how the wireless networking feature means that you don’t have to rely on poll workers to set the damn things up, which they contend somehow makes the system more secure (which is, of course, nonsense).

I have a feeling that the “features” that got Ms. Flaig so hot and bothered are the ones they spend much more time concentrating on, such as:

For the administrative staff it simplifies and reduces the process of election preparation so that the myriad of labor intensive tasks, both in the pre-election and election-day environments become a thing of the past.

These guys clearly know their target market — if they’re all as rock-stupid as Judy Flaig, odds are they’re pretty damn lazy too, so anything that means they don’t have to brush the Chee-tos dust off their shirts and do some work is gonna go a long way towards closing the deal.

What the Post article tells us that the AVS Web site doesn’t is that the WINVote machines rely on a standard called Wired Equivalent Privacy (WEP) to keep hackers out. This is, quite frankly, a joke. Thanks to some fundamental flaws in its design, WEP was cracked wide open over two years ago and is now widely considered to be nothing more than the barest of fig leaves, useful only for keeping out casual snoops, useless for blocking any kind of determined attack. Depending on WEP for wireless security is like depending on chanting “no baby no baby no baby” for contraception — it might work for a while, but do you really want to bet on it over the long haul?

If this is the way we’re going in this country, I predict that we will have a complete breakdown in our democratic process sometime in the next fifteen to twenty years that will make Florida 2000 look like a day at the beach. If you thought hanging chads were bad, wait until we have to “audit” a voting system that leaves no paper trail, can be hacked silently from a remote location, and that nobody responsible for the election system even understands — all because some idiots in the local government thought they could trust the system because it’s on, you know, a computer.


Comments

Record as I Am

October 29, 2003
11:28 am

Tech flaws in electronic voting

Electronic voting has been getting some attention around the net recently but I haven’t seen much of a blip outside the web. The promise of electronic voting is to replace the “antiquated” paper voting system in the US with an automated computer co…

Record as I Am

November 5, 2003
9:56 am

Jason was right

Jason was right in predicting that elections in Fairfax County were handed over to an electronic system that failed because officials didn’t understand it well enough. Turn…

Unbeknownst to Me

March 15, 2004
12:37 am

Watch a Spleen Explode in Near-Real Time

A little bit ago, a relative of mine commented on a solution to just such an issue…

ryanpark.org

September 7, 2004
2:18 pm

http://www.ryanpark.org/archives/000109.html

My county, Fairfax County in Virginia, implemented a touch-screen voting system last year. The software, called WINvote, does not have a voter-verifiable audit trail. Without audit information, it’s impossible to ensure that the voting results are accu…

ryanpark.org

September 7, 2004
2:19 pm

http://www.ryanpark.org/archives/000109.html

My county, Fairfax County in Virginia, implemented a touch-screen voting system last year. The software, called WINvote, does not have a voter-verifiable audit trail. Without audit information, it’s impossible to ensure that the voting results are accu…

ryanpark.org

September 7, 2004
2:22 pm

http://www.ryanpark.org/archives/000109.html

My county, Fairfax County in Virginia, implemented a touch-screen voting system last year. The software, called WINvote, does not have a voter-verifiable audit trail. Without audit information, it’s impossible to ensure that the voting results are accu…