[IP] Avi Rubin -- My day at the polls

To: ip@xxxxxxxxxxxxxx
Subject: [IP] Avi Rubin -- My day at the polls
From: Dave Farber <dave@xxxxxxxxxx>
Date: Wed, 03 Mar 2004 09:10:49 -0700
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx


Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Wed, 03 Mar 2004 07:19:06 -0500
From: Avi Rubin <rubin@xxxxxxx>
Subject: My day at the polls
To: Dave Farber <dave@xxxxxxxxxx> (by way of Bernard A. Galler)

I served as an election judge today. What an experience. Perhaps one of themost interesting days of my life. I have written it up at


   http://avirubin.com/judge.html

If I have received email from you in the last two days and not respondedyet, I apologize. We had no access to phones or email all day as electionjudges.


Avi

My experience as an Election Judge in Baltimore County

by

<http://avirubin.com/>Avi Rubin

It is now 10:30 pm, and I have been up since 5 a.m. this morning. Today, Iserved as an election judge in the primary election, and I am writing downmy experience now, despite being extremely tired, as everything is fresh inmy mind, and this was one of the most incredible days in my life.

I first became embroiled in the current national debate on evoting securitywhen Dan Wallach of Rice University and I, along with Computer ScientistYoshi Kohno and my Ph.D. student Adam Stubblefield released<http://avirubin.com/vote/>a report analyzing the software in Diebold'sAccuvote voting machines.

Although there were four of us on the project, perhaps because I was themost senior of the group, the report became widely associate with me, andpeople began referring to it as the "Hopkins report" or even in some casesthe "Rubin report". I became the target of much criticism from Maryland andGeorgia election officials who were deeply committeed to these machines,and of course, of the vendor. The biggest criticism that I received wasthat I am an academic scientist and that academics do not "know siccum"about elections, as Doug Lewis from the Election Center put very eloquently.

While I dispute many of the claims that computer scientists working one-voting security analysis are deficient in their knowledge of elections, Irealized that there was only one way to stifle this criticism, and at thesame time to perform a civic duty. I volunteered to become an electionjudge in Baltimore County. The first step was to get signed up. I filledout a form at a local grocery store and waited for a call from theBaltimore County Board of Elections. The call never came. So, I called upthe board and spoke with the head of elections and found out that there wasa mandatory training session a couple of days later. I got on to the listfor the training, and I attended. There, I learned that my entire countywould be voting with Diebold Accuvote TS machines, the very one that we hadanalyzed in our report. It was an eery feeling as I trained for 2 hours onevery aspect of using the machine and teaching others how to use them.Afterwards, I received a certificate signed by the board of elections andbecame a qualified judge. I was supposed to receive a phone call within afew days assigning me to a precinct, but I did not. So, I called up theboard of elections and spoke with the same woman, who assigned me to aprecinct at a church in Timonium, MD, about 15 minutes from my house.

I reported to my precinct at 5:45 a.m. this morning. Introductions began,and I immediately realized that it would not be a normal day. There are twohead judges, one from each party. There were also seven other judges. Thehead judges were Marie (R) and Jim (D). Both of them mentioned that theyread about me in the paper that morning, and were pretty cold towards me.It turns out that the Baltimore Sun ran<http://www.baltimoresun.com/news/local/bal-md.rubin02mar02,0,7983876.story>astory today about my being an election judge. In there, I'm quoted assaying that the other judges in my training were in the "grandparentcategory" with respect to their age. My colleagues for the day, who were inthat category as well, did not appreciate the barb and were ready to sparwith me.

There are three types of judges besides the head judges. There are fourbook judges, one from each party with A-K and one from each party with L-Z.There is one judge assigned to provisional ballots, and a couple of unitjudges charged with assigning voters to particular machines. I was the L-Zdemocrat book judge, along with Andy, a grandfather of many, a staunchRepublican, and a fellow I grew very fond of as the day went on. To my leftwere Anne, the Republican judge married to Andy, and Sandy. Actually, therewere two Sandys. One began as a unit judge, but early on switched with theother Sandy to be the democratic book judge on A-K. Bill was theprovisional judge, and he is married to head judge Marie. And then therewas Joy. One of the Sandys, Joy and I were the three younger judges who didnot fit into the grandparent category.

Joy was by far the most knowledgeable about the election. She had traineddozens of groups on the Diebold machine, and she knew all of the proceduresinside and out. The head judges deferred to Joy on just about every majorissue that came up. She knew our manuals by heart, and we were very luckyto have her there. In reality, all of us helped with all of the jobs, butwe had our default assignments.

The job of the book judge is to look up each voter in a card deck and findtheir registration card. If there wasn't one, then there were proceduresfor handling them. Once we found the card, we cross checked it with ourroll booklet. For the most part this process went smoothly. I wore a stringaround my neck with a little electronic sleave on the end. After a voterwas verified as registered, I slid a smartcard into the sleave and pushed afew buttons to designate whether or not this voter should receive aDemocrat or Republican ballot, based on their registration, and there wasalso an option for specifying magnification of the ballot on the screen, oreven audio for blind people.

From 6-7 a.m., we set up the voting booths. We had to unplug all of thembecause they were facing the wrong way. We then rearranged them and pluggedthem back in. Each machine has a 5 hour battery, so this process wentwithout a hitch. Pretty much all of the judges knew who I was and what myrole has been as a very public critic of electronic voting and Diebold inparticular. At around 6:30, representatives from Diebold arrived, andalthough my badge said "Avi" on it, I heard them refer to me as ProfessorRubin, so I knew that they knew exactly who I was. In fact, some of thevery senior Diebold executives who I recognized showed up, which makes methink that they knew I would be there, perhaps based on the Baltimore Sunarticle.

At 7 a.m., we opened the polls, and head judge Jim cast the first vote, toa round of applause from all of us. Voters trickled in, but at a slow pace.I felt some hostility from my fellow judges. This was not helped by whattranspired next. A TV crew from Fox News showed up at the polls and askedthe head judge if they could interview me. The head judge called a "super"judge at the county and came back and said no. The reporter asked to speakto the super judge, named Jackie, and was obviously not getting anywhere.She left rather angry, with a nasty exchange with head judge Jim and someunpleasant words with head judge Marie. I felt very uncomfortable. At thatmoment, there were no more voters in the room, and I offered to everyone inthe room that I was not here to pull a publicity stunt, and that I wouldagree not to speak with any reporters throughout the day. This was aserious responsibility and duty that I took with the utmost respect for thesystem, and I would not let it turn into a mockery. A few minutes later,though, a photographer from the Baltimore Sun showed up with a reporter intow. The same routine happened, only this time, they allowed thephotographer to take pictures of me working and checking in voters andprogramming smartcards. However, they would not let the reporter talk tome. An angry exchange ensued, and when he left, I felt that tempers werepretty hot.

Once again, I reiterated my intensions of being nothing more than anobjective judge today. The situation was worsened when one voter had aproblem with his card which the voting machine spit out. He was given a newcard, but I was concerned, and so I asked head judge Marie to count theballots and check them against the count in the machine after he left. Shedid, and the count was fine. The smartcard really had failed and it wasfixed. However, I overheard head judge Jim complain to Joy that I had madea big deal about that incident because the Baltimore Sun reporter wasthere. That was not true. It was a coincidence.

Over the next several hours, we all were busy checking in voters anddealing with running the election. Everybody calmed down, and we startedjoking around with each other and the mood became more positive. We onlyhad one other minor press incident during the day. During breaks, I decidedto educate Marie and Joy about the security problems of electronic votingmachines. Amazingly, they really started to get it. They confessed thatthey had been ready to fight me, and that there was great animosity towardsme, but that, in their words, I wasn't "such a bad guy after all". At thesame time, I started realizing that some of the attacks described in ourinitial paper were actually quite unrealistic, at least in a precinct withjudges who worked as hard as ours did and who were as vigilant. At the sametime, I found that I had underestimated some of the threats before. I thinkthat being an election judge was the best thing I could have possibly doneto learn about the real security of elections.

In our paper, we described how the smartcards used by these machines had nocryptography on them, and we made the widely criticized claim that ateenager in a garage could manufacture smartcards and use them to vote 20times. I now believe that this particular attack is not a real threat -- atleast not in the primary I worked today. We had 9 judges and 5 machines.Whenever a voter took what seemed to be too long, we always had a judge askthem if they needed help, or if something was wrong. Also, the machinesmake a loud clicking sound when the smartcard is ejected, and we almostalways had a judge standing there waiting to collect the card and give thevoter a sticker, as they are ushered out.

In general, multiple voting attacks during the election are not likely towork in a precinct such as the one where I worked. Every hour or so, wecounted all of the voter authorization cards (different from thesmartcards), which were in an envelope taped to the machine, and comparedthem to the number of votes counted by the machine so far. I believe thatif any voter somehow managed to vote multiple times, that it would bedetected within an hour. I have no idea what we would do in that situation.In fact, I think we'd have a serious problem on our hands, but at least wewould know it.

Every hour, we also counted the totals on the machines and compared them tothe totals in the registration roster that we used to check people in. Iwas amazed at the number of countings and pieces of paper that we shuffledthroughout the day in what was billed as a paperless electronic election.

There were also some security issues that I found to be much worse than Iexpected. All of the tallies are kept on PCMCIA cards. At the end of theelection, each of those cards is loaded onto one machine, designated as thezero machine. (I found it interesting that Diebold numbered the machines 0through n-1, disproving my notion that they don't have anyone on board whoknows anything about Computer Science.) The zero machine is then connectedto a modem, and the tallies are sent to a central place, where they areincorporated with the tallies of other precincts. In our case, the phoneline was not working properly, so we went to the backup plan. The zeromachine combined all the tallies from the PCMCIA cards that were loaded oneat a time onto the machine. It then printed out the final tallies. One copyof that went onto the outside door of the building where there weretalliers and poll watchers eagerly waiting. The other was put into a pouchwith all of the PCMCIA cards, each wrapped in a printed tally of themachine to which it corresponds, and that pouch was driven by the two headjudges to the board of elections office.

The security risk I saw was that Diebold had designated which machine wouldbe the zero machine, and at one point, all of the vote tallies were loadedonto that one machine in memory. That would be the perfect point tocompletely change the tallies. There is no need to attack all of themachines at a precinct if someone could tamper with the zero machine. Infact, even when the modem is used, it is only the zero machine that makesthe call. In the code we examined, that phone call is not protectedcorrectly with cryptography. Perhaps that has been fixed. I was glad to seethat the administrator PIN actually used in the election was not the 1111that we used in our training, and that we had seen in the code.

One thing absolutely amazed me. With very few exceptions, the voters reallyLOVED the machines. They raved about them to us judges. The most commoncomment was "That was so easy." I can see why people take so much offenseat the notion that the machines are completely insecure. Given my roletoday, I just smiled and nodded. I was not about to tell voters that themachines they had just voted on were so insecure. I was curious that votersdid not seem to question how their votes were recorded. The voterverifiability that I find so precious did not seem to be on the minds ofthese voters. One woman did come up to Joy and complain that she wanted apaper ballot to verify. But, Joy managed to convince her that thesemachines were state of the art and that there was nothing to worry about,which was followed by a smile and a wink in my direction. I just keptquiet, given the circumstances. As an election judge, my job is to make theelection work as well as possible, and creating doubts in the voters' mindsat the polls does not figure into my idea of responsible behavior. Perhapsthe lightest moment in the day came when one voter standing at his machineasked in the most deadpan voice, "What do I do if it says it is rebooting?"Head judge Marie turned white, and Joy's mouth dropped. My heart started tobeat quickly, when he laughed and said "just kidding." There was about atwo second pause of silence followed by roaring laughter from everyone.

I found the reaction to that joke interesting. Everybody was willing tobelieve that this had happened, and yet when it became clear that itdidn't, we all felt relief. I'm sure that the other judges would haveclaimed that this was impossible, and yet, for a brief instant, they allthought it had happened.

There were a few unusual moments related to my previous work on e-voting.Several people recognized me from TV appearances and from the paper.Yesterday, I was on two CNN shows and the local ABC station criticisingDiebold's voting machines, and last week, I was on the Today show and onTechTV. One voter who I was checking in, leaned over and said, "I know whoyou are." I just smiled. Then he asked me if he should even bother voting,and if I thought the machines would "hold out". I answered that my viewswere well known, but that today I was an election judge. Another voterasked me, "Aren't you that hacker guy?"

In the beginning of the election, we printed a "zero tape" of each machine.I found this to be the kind of charade that a confidence man would playwhen performing some slight of hand. So, the machines printed eachcandidates name with a zero next to it. Somehow, that is supposed to meanthat there are no votes counted on the machine? I don't know. I think Icould write a five line computer program that would print the zero tally,and I don't see how that ties into the security of the election. In fact,that was not the only procedure that I thought served more as eye candythan real security. For example, the process for collecting the smartcardswas for the unit judge to take the card from the voter and put it on apiano that was across the room. Every 15 minutes or so, the unit judgewould take the cards and give them back to us book judges. When a Dieboldrep showed up, I asked her about this, and she said that it was done togive the voters a sense that nothing was being kept on the smartcards abouttheir voting session. After my experience today, I can say with totalconfidence that this would not have ocurred to any of the voters we had.

There was a very funny moment around 2:00 in the afternoon. A votercomplained that she was a Democrat but had been given the Republicanballot. This required both head judges to void the ballot. It turned outthat this had been my mistake when I coded the smartcard. In fact, I wasthe only one the entire day who made such a mistake. The less than youngjudges had a good time constantly reminding me of who the careless judgewas at this election. One of them commented to me that there are many youngpeople who are incompetent and many old people who can manage an electionjust fine, thank you.

I continue to believe that the Diebold voting machines represent a hugethreat to our democracy. I fundamentally believe that we have thrown ourtrust in the outcome of our elections in the hands of a handful ofcompanies (Diebold, Sequoia, ES&S) who are in a position to control thefinal outcomes of our elections. I also believe that the outcomes can bechanged without any knowledge by election judges or anyone else.Furthermore, meaningful recounts are impossible with these machines.

I also believe that we have great people working in the trenches and on thefront lines. These are ordinary people, mostly elderly, who believe in ourcountry and our democracy, and who work their butts off for 16 hours,starting at 6 a.m. to try to keep the mechanics of our elections runningsmoothly. It is a shame that the e-voting tidal wave has a near hypnoticeffect on these judges and almost all voters. I believe that after today'sexperience, I am much better equipped to make the arguments againste-voting machines with no voter verifiability, but I also have a greatappreciation for how hard it is going to be to fight them, given how muchvoters and election officials love them.

We were not allowed to use cell phones or access email all day. On my wayhome from the polls, I called my voicemail at work. I had messages andrequests for interviews from ABC News, the Baltimore Sun, the WashingtonPost, Wired News, CNN, several radio stations and the New York Times. So,this issue is not going away. Over the next few days, I'll be discussing myexperience and probably sparring with the usual suspects in the variousmedia outlets. My biggest fear is that super Tuesday will be viewed as abig success. By all accounts, everyone at my precinct felt that way. Themore e-voting is viewed as successful, the more it will be adopted, and thegreater the risk when someone decides to actually exploit the weaknesses ofthese systems.

It's now almost midnight, and I've been up since 5:00 a.m. I'm fallingasleep as I type this, so I will end here. Good night.


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Court overrules FCC on phone competition
Next by Date: [IP] Physical Review E Paper on Bubble Fusion
Previous by thread: [IP] Court overrules FCC on phone competition
Next by thread: [IP] Physical Review E Paper on Bubble Fusion
Index(es):
- Date
- Thread