Monday, December 26, 2005

California Secretary of State Refuses to Re-Certify Diebold Voting Machines (For Now...)

By Brad Friedman, The Brad Blog   
December 21, 2005
SoS: 'Unresolved significant security concerns', 'Source Code Never Ever Reviewed' - State 'Punts' Issue Back to Feds for Further Testing, State Senator Bowen Objects

Complete Letter from McPherson to Diebold, McPherson's Press Release, Bowen's Full Statement.

This article was originally posted on The Brad Blog on December 20, 2005. It is reposted here with permission of the author.

Late this afternoon, Sec. of State Bruce McPherson's office sent a letter to Diebold Election Systems, Inc. Vice President David Bryd, informing him that the state is declining -- for the time being -- to re-certify Diebold AccuVote touch-screen machines in the state of California pending further testing and certification by Federal authorities.

In the letter, on McPherson's letterhead, Caren Daniels-Meade, chief of the Elections Division writes that "Unresolved significant security concerns exist with respect to the memory card used to program and configure" the Accu-Vote operating system and touch-screen equipment.

In a statement reported by AP, SoS spokeswoman Jennifer Kerns announced problems "discovered during routine testing...by state employees and independent consultants":
She said each system approved for use in California must meet 10 security requirements, and the Diebold machines did not meet one of those standards.

"This is a unique case in which we discovered that the source code had never, ever been reviewed," said Kerns. "There were potential security risks with it."
Some of those "potential security risks" may have been revealed in a test last week using similar Diebold equipment in Leon County, FL, where the results of a test election were reversed by a hacked program inserted onto one of the AccuVote memory cards. The hacked election was completed without a trace of the manipulation left behind.

In 2004 Diebold machines were de-certified by California's then Democratic Sec. of State Kevin Shelley after it was revealed that the company had used uncertified software in voting machines in the state. That matter was resolved in a $2.6 million settlement by Diebold with the state. A recent Securities Fraud Class Action complaint has alleged the settlement was meant to shield the public from a litany of flaws in Diebold voting systems. Additional complaints are now pending against the Ohio-based company whose former CEO had promised to "deliver the state of Ohio" to George W. Bush in an infamous fundraising letter sent to Republicans prior to the 2004 Presidential Election. The CEO, Walden O'Dell, was forced to resign early last week just prior to the filed litigation.

Republican McPherson, who later replaced Shelley, carried out a massive mock election test over the summer revealing that 20% of Diebold's AccuVote touch screen machines failed to operate as promised, with many of the touch-screens freezing and printers jamming.

Several weeks ago, McPherson's staff, however, suddenly announced that they were recommending the re-certification of Diebold machines again (under specific conditions) after a secret test, using machines specially prepared by Diebold, found this time that only 3% of the machines failed.

Then came the protests, the Securities Fraud Litigations, and last week's devasting Leon County hack test which resulted in the county announcing they would never use Diebold in another election. Another county in Florida, Volusia, quickly followed suit in deciding to dump their Diebold machines.

McPherson's office, rather than simply decertifying Diebold once and for all in California, has today decided instead to pass the buck back to the the so-called Federal "Indepenent Testing Authority" (ITA). The ITA is a group of several companies chosen and paid for by the voting machine companies such as Diebold themselves, to test their equipment and software on behalf of the Federal Government. Those ITA labs then either certify the software and/or hardware or send it back to the company with the results of the failed tests kept confidential.

State Senator Debra Bowen (D-Redondo Beach) has been an outspoken critic of McPherson's process for considering recertification of Diebold and has otherwise been a watchdog on issues related to the quickly changing Electoral landscape in the Golden State. She released a statement late this evening. Bowen is critical of McPherson's plan to "punt" the issue back to the Feds and says in her statement:
“The Secretary of State shouldn’t punt the decision about whether Diebold machines should be used to count ballots in California to the federal government and an ‘independent’ testing authority that’s financed by the voting machine vendors. That decision needs to be made in the open, right here in California.”
Bowen, the author of the so-called "Bowen Amendment" (SB 370) recently signed by Governor Arnold Schwarzenegger. That legislation mandates, among other things, paper records created for all votes cast in California, as well as mandatory audits of ballots. She has also recently announced her intention to run for Secretary of State in 2006. Her website is here.

Bowen is highly critical of the secretive processes of the ITA, and various electronic voting machinery being deployed around the state using secret software to count Californians votes:
“The federal testing process is notoriously weak and it’s done in secret,” continued Bowen. “Plus, these supposedly ‘independent testing authorities’ the Secretary of State wants to rely on are financed by the voting machine industry and conduct their tests in secret as well. That’s why California shouldn’t be relying on proprietary software that uses secret code to count ballots. If we want to ensure we have voting systems that are reliable and secure – and that voters have confidence in – we need to be moving toward an open source software structure.”
Computer security expert, Avi Rubin, who originally discovered some of the astounding security flaws in Diebold's GEMS central tabulator, recently wrote at Huffington Post about the "Dirty Little Secrets of Voting System Testing Labs". We highly recommend his insightful and revealing article on both that and his recent experience at a summit held on Electronic Voting Security issues in California.

In a report filed by Contra Costa Times, Rubin says that review of the source code will determine little, since the source code has little do to with whether or not a hacker is able to introduce a malicious program. It's "definitely not something that's going to give a definitive answer," said Rubin.

McPherson's decision is surely a setback for Diebold who, like several other Voting Machine Companies, are currently scrambling for contracts in the wake of the impending Jan. 1, 2006 Help America Vote Act (HAVA) deadline. If States and Counties wish to receive Federal money to pay for voting systems upgrades, they must make their final decision on which companies to use by that date. Many of those States and Counties had been watching and waiting to see what California would do, given their previous history with Diebold. And of course, as Diebold -- one of several private companies vying to control the country's public voting system -- has described the state: it is America's "largest voting market."
LINK

No comments: