Citizen Monitors

I like the idea of this: Using ordinary folk to monitor elections, via SMS from their cellphone. And it seems to have worked.

Nigeria used a system called FrontlineSMS, developed by UK-based kiwanja.net to keep track of all of the texts. Some 54 trained associates recruited volunteers to invite as many people as possible via text message to participate in monitoring the elections.

Why might this work? Well, usually election monitors are highly visible, because they’re foreign, or they’re wearing clothes that mark them clearly as monitors, all of which may reduce fraud in front of them, but doesn’t help to actually identify fraud. As the report (no link available yet) from the Network of Mobile Election Monitors concludes:

Our monitoring is peculiar because people knew that if they try to rig the election there could be someone behind them that may send a text message reporting the incident.

In total over 10,000 messages were received covering reports of harassment, orderliness, stuffing of ballot boxes and poor voter turnout. The team concluded that there was extensive fraud and rigging in the election.

What I like about the system is that it’s not a typical election monitoring exercise, where monitors go in and view the process according to foreign templates and established norms. The free-form nature of the text messages received, and the ability of the monitoring team to ask follow up questions of participants revealed something more important than merely gauging whether the election was free and fair. It (apparently) revealed the underlying mood of the populace for peace and compromise. Asked for their reaction to the result

While about a fifth of our respondents wanted the results cancelled, the majority (about 80%) reacted that Nigeria could not afford cancellation and re-run.

 

Gaming Idol With Dialers

If you’re wondering why Sanjaya Malakar has done surprisingly well in American Idol, here’s one possible answer: dialers.

Dialers are pieces of software usually stealthily installed on a victim’s computer to automatically dial expensive premium telephone numbers. The victim only finds out when they receive their phone bill. In this case, the dialer, openly available on a reputable download site, is a voluntary install designed to automate the voting process in Idol:

Sanjaya War Dialer uses your computers modem to automatically dial the American Idol voting number over and over and over again until you tell it to stop. Automatically cast hundreds or even thousands of votes for Sanjaya with the click of a button. Make Sanjaya win and help us ruin American Idol.

The Sanjaya War Dialer has its own MySpace page where users report on their votes — 600 a hour, for some. The show’s producers are aware of this, and have been lopping off blocks of votes if they seem to be coming from power dialers, as they call them, for several weeks.

Gaming the system by voting for inferior contestants is not new. Vote for the Worst claims to have been around since 2004. And DialIdol.com offers dialers for other shows, including Dancing with the Stars, So You Think You Can Dance, Canadian Idol and Celebrity Duets. DialIdol isn’t so much about gaming the system as predicting who will be voted off by seeing which hotlines are busiest.

Should we be surprised by this? No. It’s not easy to tell how many people are using these dialers, and it would need to be a lot to make it work. But we shouldn’t underestimate the number of people willing to do this, either for fun or because they have money riding on it. And of course they may not need to vote – they only need to stop other people from voting for other contestants. Do we believe American Idol when it talks of 35 million votes? That’s a lot of phone lines.

I would say this: Any kind of voting technology that isn’t transparent and clear is likely to be manipulated, either by smart hackers with something to gain, or by those arranging the voting.

(My colleague Carl Bialik talks about voting and power dialers in his blog a couple of days back. Thanks to Handoko for the Twitter tip.)

Loose Change Sept 19 2006

It used to be called Loose Bits, but I prefer Loose Change. For now. It’s the same thing: tidbits I found that might be of interest:

  • First off, NeatReceipts, which sells a small scanner and special software to scan in your receipts while you’re on the road, has announced a new version of its software, which should be in the shops next month. Includes color Scanning, a better Document Organizer and better OCR. Version 2.5 will retail for $200, the same price as the current Scanalizer. I reviewed the product a few months back and was impressed, though you’ve got to really love receipts to get into it.
  • Lost in the Crowd allows you to search the web more anonymously by mixing in with your normal searches entirely random ones sent on your behalf: “What searches did you care about versus those that were just made up? There’s no way for the search engine, or anyone else, to tell.” Nice idea. Only hitch I can think of is if those random searches lead down weird alleys that may come back to haunt me.
  • Forget Google anonymity. Just worry about voting. A blog by two Princeton University types reveals an ordinary “hotel minibar” or office key will open the door on Diebold Voting Machines, allowing someone to remove, alter or replace the memory card that stores the votes.

The Price Of Democracy

An interesting essay by security guru Bruce Schneier (via the brianstorms weblog) on the economics of fixing an election. Put simply: How much is it worth a party to fix an election, and so how much would they be willing to spend on doing it? Put another way, how much should the folk designing an electronic voting system assume will be spent on trying to get past the security software?

Bruce does the math and concludes ”that affecting the balance of power in the House of Representatives is worth at least $100M to the party who would otherwise be losing. So when designing the security behind the software, one must assume an attacker with a $100M budget. Conclusion: The risks to electronic voting machine software are even greater than first appears.”

Scary stuff. Although much of the emphasis of such articles has been on how this might be done in established democracies (and there’s still plenty to worry about there) my worry is how about how voting systems may be exported to the developing world.

Pentagon Scraps Internet Voting Plan

Further to earlier postings about security fears for a new Internet voting system for overseas Americans, AP is quoting an anonymous official as saying the Pentagon has scrapped the plan. CNET attributes the same story to a spokesperson for the Pentagon.

AP quoted the official as saying Deputy Defense Secretary Paul Wolfowitz made the decision to scrap the system because Pentagon officials were not certain they could “assure the legitimacy of votes that would be cast.” CNET quoted a spokesperson as saying pretty much the same thing:  “The action was taken in view of the inability to ensure the legitimacy of the votes cast.” 

About 6 million U.S. voters live overseas, most of them members of the military or their relatives. Pentagon officials had said they still planned to use the system, called SERVE, this fall and would test it during last Tuesday’s South Carolina primary. But the day before the voting the Pentagon called off the South Carolina test. CNET says the Defense Department is not completely dropping the idea: “Efforts will continue to look into all technical capabilities to cast votes over the Internet,” the spokesperson was quoted as saying.

Internet Voting: A Minority Report?

A reader kindly pointed out this New York Times piece on the Internet voting story I posted yesterday, which highlights some other aspects of the case.

While four members of a panel asked to review the SERVE program — designed to allow Americans overseas to vote over the Net — said it was insecure and should be abandoned, the NYT quoted Accenture, the main contractor, as saying the researchers drew unwarranted conclusions about future plans for the voting project. “We are doing a small, controlled experiment,” Meg McLauglin, president of Accenture eDemocracy Services, was quoted as saying.

Another side to this pointed out by the loose wire reader: Accenture says that the four researchers were a minority voice, and that five of the six others ‘would not recommend shutting down the program’. One of the other outside reviewers, Ted Selker, a professor at the Massachusetts Institute of Technology, disagreed with the report, and was quoted by the NYT as saying it reflected the professional paranoia of security researchers. “That’s their job,” he said. In response one of the four naysayers noted that they were the only members of the group who attended both of the three-day briefings about the system.

The reader also makes this observation: “One of their complaints is that the Internet is inherently unsafe, which may be true. I don’t believe that the US Postal Service (which is the current method for transmitting absentee ballots) is inherently safe either. Ever seen a bag of mail sitting in a building lobby waiting for pickup? I have.” Fair enough, but unless the bag contained ballots (something I have seen in, er, less security conscious democracies), I don’t think it’s a fair comparison, since a few tampered or misdirected ballots would not undermine the integrity of the election.

The security compromises in SERVE are likely to be at the server level, where hackers could either alter delivered votes, mimic voter activity, or disrupt legitimate voters from placing their ballot. This could be done on a scale that would undermine the integrity, or at least could be believed to do so. Remember: In an electronic election (where no parallel paper ballot is collected), a claim of largescale tampering is enough to undermine confidence in the result.

My tupennies’ worth? Although the E stands for experiment, I don’t see SERVE as a ‘controlled experiment’. The NYT says the program will be introduced “in the next few weeks” and covers seven states, and a possible 100,000 people this year. That doesn’t sound like an experiment to me. Maybe I’m missing something here, but I don’t really see how you can conduct an experiment in a live voting environment. What happens if there’s a suggestion the system has been compromised, either during or after the vote? I always thought that voting systems were either approved, credible and acceptable or not in public use. Of course it’s fine to have an ‘experiment’ where the only experimental part is, say, the user-aspects of the voting process. But security can surely never be part of an experiment in a live voting situation.

Security experts are paid to be skeptical. If they raise a warning flag as big as this, I think they should be listened to.

“Internet Voting Isn’t Safe”

The e-voting saga continues.

Four computer scientists say in a new report that a federally funded online absentee voting system scheduled to debut in less than two weeks “has security vulnerabilities that could jeopardize voter privacy and allow votes to be altered”. They say the risks associated with Internet voting cannot be eliminated and urge that the system be shut down.

The report’s authors are computer scientists David Wagner, Avi Rubin and David Jefferson from the University of California, Berkeley; The Johns Hopkins University and the Lawrence Livermore National Laboratory, respectively, and Barbara Simons, a computer scientist and leading technology policy consultant. They are members of the Security Peer Review Group, an advisory group formed by the Federal Voting Assistance Program to evaluate a system called SERVE, set up to allow overseas Americans to vote in their home districts. The first tryout is scheduled Feb. 3 for South Carolina’s presidential primary.

The four say that “Internet voting presents far too many opportunities for hackers or even terrorists to interfere with fair and accurate voting, potentially in ways impossible to detect. Such tampering could alter election results, particularly in close contests.” They “recommend shutting down the development of SERVE and not attempting anything like it in the future until both the Internet and the world’s home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear.”

The authors of the report state that there is no way to plug the security vulnerabilities inherent in the SERVE online voting design. “The flaws are unsolvable because they are fundamental to the architecture of the Internet,” says Wagner, assistant professor of computer science at UC Berkeley. “Using a voting system based upon the Internet poses a serious and unacceptable risk for election fraud. It is simply not secure enough for something as serious as the election of a government official.”

In short, the guys are saying the Internet is just not up to handling something like voting. But they also see the way the SERVE program carries the same flaws as the Diebold and other commercial electronic voting systems that have gotten such bad press in recent weeks (some of the four authors have been in the forefront of exposing those weaknesses). “The SERVE system has all of the problems that electronic touchscreen voting systems have: secret software, no protection against insider fraud and lack of voter verifiability,” says Jefferson. “But it also has a host of additional security vulnerabilities associated with the PC and the Internet, including denial-of-service attacks, automated vote buying and selling, spoofing attacks and virus attacks.”

After studying the prototype system the four researchers said it would be too easy for a hacker, located anywhere in the world, to disrupt an election or influence its outcome by employing any of several common types of attacks familiar to regular readers:

  • A denial-of-service attack, which would delay or prevent a voter from casting a ballot through the SERVE Web site.
  • A “Man in the Middle” or “spoofing” attack, in which a hacker would insert a phony Web page between the voter and the authentic server to prevent the vote from being counted or to alter the voter’s choice. What is particularly problematic, the authors say, is that victims of “spoofing” may never know that their votes were not counted.
  • Use of a virus or other malicious software on the voter’s computer to allow an outside party to monitor or modify a voter’s choices. The malicious software might then erase itself and never be detected.

Electronic Voting And The Criminal Connection

The story of electronic voting machines, and the company that makes many of them, continues to roll along. I wrote in a column a few weeks back (Beware E-Voting, 20 November 2003, Far Eastern Economic Review; subscription required) about Bev Harris, a 52-year old grandmother from near Seattle, who discovered 40,000 computer files at the website of a Diebold Inc subsidiary, Global Elections Systems Inc, beginning a public campaign against a company she believed was responsible for a seriously flawed e-voting system., already in use in several states.

Anyway, now she’s turned up more explosive material, it seems. The Associated Press yesterday quoted her as saying that managers of Global Elections Systems “included a cocaine trafficker, a man who conducted fraudulent stock transactions, and a programmer jailed for falsifying computer records”. The programmer, Jeffrey Dean, AP reports, wrote and maintained proprietary code used to count hundreds of thousands of votes as senior vice president of Global Election Systems Inc. Previously, according to a public court document released before GES hired him, Dean served time in a Washington correctional facility for stealing money and tampering with computer files in a scheme that “involved a high degree of sophistication and planning.”

Needless to say this is all somewhat worrying. When I followed the story I tried to concern myself merely with the technological aspects, which were pretty worrying in themselves; The e-voting system being pushed by Diebold seemed to have too many security flaws to be usable in its present state. But Ms. Harris’ digging seems to reveal a company that is, to put it tactfully, less than thorough in its background checks.

So what’s Diebold’s version? AP quoted a company spokesman as saying that the company performs background checks on all managers and programmers. He also said many GES managers left at the time of the acquisition. “We can’t speak for the hiring process of a company before we acquired it”. Acccording to Ms. Harris’ website, however, that’s misleading. Quoting a memo issued shortly after Diebold bought GES in early 2002, Dean had “elected to maintain his affiliation with the company in a consulting role”. Diebold, the memo says, “greatly values Jeff’s contribution to this business and is looking forward to his continued expertise in this market place”. AP said Dean could not be reached for comment Tuesday afternoon and I cannot find any subsequent report online.

It’s hard to see how Diebold is going to recover from what has been a series of body blows to its credibility in such a sensitive field as voting. The same day as Ms. Harris revealed her latest bombshell, the company announced “a complete restructuring of the way the company handles qualification and certification processes for its software, hardware and firmware”. Diebold hopes the announcement will “ensure the public’s confidence that all of our hardware, software and firmware products are fully certified and qualified by all of the appropriate federal, state and local authorities prior to use in any election”.

Clearly the whole fracas has done serious damage to public confidence in electronic voting. But it’s important to keep perspective. There’s nothing wrong intrinsically with e-voting — it’s a sensible way to speed up the process, make it easier for citizens and, perhaps, to extend the use of such mechanisms to allow the population to have a greater and more regular say in how their lives are governed. But like every technological innovation, it’s got to be done right, by the right people, with the right checks and balances built in, and it can’t be done quickly and shoddily. Most importantly, it’s got to be done transparently, and those involved in building the machines must never be allowed to conceal their incompetence by preventing others from inspecting their work and assessing its worthiness.

For details of Ms. Harris allegations, check out her website Blackbox Voting. A summary of the press conference is here, as are the supporting documents (both PDF files.)

Diebold Confirms Dropping E-voting Suit

 Diebold, the electronic voting company and the subject of a recent Loose Wire column, have confirmed that they’ve decided not to sue folk who published leaked documents about the alleged security breaches of electronic voting. 
 
AP reports (no URL available yet) that a Diebold spokesman promised in a conference call Monday with U.S. District Judge Jeremy Fogel and attorneys from the Electronic Frontier Foundation that it would not sue dozens of students, computer scientists and ISP operators who received cease-and-desist letters from August to October. 
Diebold did not disclose specifics on why it had dropped its legal case, but the decision is a major reversal of the company’s previous strategy. Ohio-based Diebold, which controls more than 50,000 touch-screen voting machines nationwide, had threatened legal action against dozens of individuals who refused to remove links to its stolen data.