Friday, March 06, 2009

Report: Diebold Voting System Has "Delete" Button for Erasing Audit Logs


by: Kim Zetter | Visit article original @ Wired

photo
California's secretary of state released a report that found Diebold voting machines lost 200 ballots during November's presidential election. (Photo: Kiichiro Sato / AP)

After three months of investigation, California's secretary of state has released a report examining why a voting system made by Premier Election Solutions (formerly known as Diebold) lost about 200 ballots in Humboldt County during November's presidential election.

But the most startling information in the state's 13-page report is not why the system lost votes, which Wired.com previously covered in detail, but that some versions of Diebold's vote tabulation system, known as the Global Election Management System (Gems), include a button that allows someone to delete audit logs from the system.

Auditing logs are required under the federal voting-system guidelines, which are used to test and qualify voting systems for use in elections. The logs record changes and other events that occur on voting systems to ensure the integrity of elections and help determine what occurred in a system when something goes wrong.

"Deleting a log is something that you would only do in de-commissioning a system you're no longer using or perhaps in a testing scenario," said Princeton University computer scientist Ed Felten, who has studied voting systems extensively. "But in normal operation, the log should always be kept."

Yet the Diebold system in Humboldt County, which uses version 1.18.19 of Gems, has a button labeled Clear, that "permits deletion of certain audit logs that contain - or should contain - records that would be essential to reconstruct operator actions during the vote-tallying process," according to the California report.

The button is positioned next to the Print and Save As buttons (see image above), making it easy for an election official to click on it by mistake and erase crucial logs.

In fact, the report says, this occurred recently in a California county when an official, while attempting to print out a copy of a so-called "poster log," inadvertently deleted it instead.

The system provides no warning to the operator that clicking on the button will result in permanent deletion of records in the log, nor does it require the operator to confirm the action before executing it.

Apparently Premier/Diebold was aware that having a Clear button on its system was a bad idea. According to California's report, one of the system's developers wrote in an e-mail in 2001: "Adding a Clear button is easy, but there are too many reasons why doing that is a bad idea." Yet the company included the button in its system anyway.

The button was removed from software versions 1.18.20 following, but Premier/Diebold never went back to jurisdictions using previous versions to upgrade them, and version 1.18.19 is still used in three California counties as well as in other states. It's unclear how many previous versions of the software had the button, or why it was included in the first place.

According to the report:

The Clear buttons ... allow inadvertent or malicious destruction of critical audit trail records in all Gems version 1.18.19 jurisdictions, risking the accuracy and integrity of elections conducted using this voting system. Five years after the company recognized the need to remove the Clear buttons from the GEMS audit log screens, not only Humboldt, San Luis Obispo and Santa Barbara Counties in California but jurisdictions in other parts of the country, including several counties in Texas and Florida, continue to use Gems version 1.18.19....

The report states that the inclusion of the button violated the federal voting-system standards under which the Premier/Diebold system qualified to be used in elections. The standards require that voting-system software automatically creates and permanently retains electronic audit logs of important system events that occur on the machine.

Premier/Diebold did not respond to a request for comment.

The Clear button isn't the only problem with the audit log in the Premier/Diebold system. Wired.com previously reported other issues with the logs - for example, they don't record significant events that occur in the tabulation system, such as when someone deletes votes from the software.

The California report states that the Clear button and other issues should have been a red flag to the testing laboratories that certified the system. The system should have flunked certification-testing and been banned from the election.

Under the official voting-system standards, "each of the errors and deficiencies in the Gems version 1.18.19 software described in this report, standing alone, would warrant a finding ... of 'Total Failure'," the report concludes.

"Presumably some organization, some lab, looked at this system and decided they thought it complies with the standard," said Felten. "And, obviously, they were wrong. Any state that uses Gems should be looking at this seriously."

It's unclear what the states currently using the Gems system will do now that they know their voting software does not create an adequate audit trail.

California's secretary of state has scheduled a public hearing on March 17 to discuss the report and whether version 1.18.19 of Gems should be decertified in the state. That would force counties in the Golden State to upgrade to a different version.

As for addressing the fundamental problems with the audit logs in all versions of the GEMS software, a spokeswoman for the secretary of state's office said only that the state sent the report to the federal Election Assistance Commission to communicate the issue to election officials in other states.

A spokeswoman for the EAC told Wired.com that the commission has no authority to address problems with voting systems that were tested and qualified prior to 2002, when Congress gave the organization oversight responsibility.

"There's no regulatory action that we could take," said EAC spokeswoman Jeannie Layson. "But certainly ... [we] make sure that the test labs and independent reviewers who look at the test reports are aware of all that information."

The lab that was responsible for testing and qualifying Gems version 1.18.19 with the Clear button is Colorado-based Ciber. In 2007, the lab was suspended from testing voting systems for not following quality-control procedures and for failing to document that it was conducting all the required tests. But the EAC restored the lab's accreditation to test voting systems last year.

Ciber did not respond to a call for comment about its examination of the Premier/Diebold system and its approval of the Clear button.

The California report is the result of an investigation into what occurred in Humboldt County during the November 2008 presidential election.

After the election, county officials discovered that their tabulation software had dropped 197 ballots without giving any notice to election officials that it was doing so. Humboldt uses a Premier/Diebold central-count optical-scan system. The company acknowledged that a programming flaw in version 1.18.19 of Gems could drop votes when used with a central-count scan system, and that it had known about the problem since October 2004.

Premier/Diebold sent some election officials a workaround at the time, though Humboldt County election director Carolyn Crnich never received it. The company also never notified California state officials or the federal EAC so that election officials around the country could be notified.

The flaw was fixed in May 2005. But until then, the vendor let jurisdictions use five flawed versions of the software and never explained the problem or the workaround in user documentation. Diebold has said that no jurisdiction outside California used these versions of Gems with a central-count scan system and therefore were not at risk from the flaw. California officials backed this claim in their report.

Secretary of State Debra Bowen has sponsored legislation that would require a voting-machine vendor to notify the state in writing any time it discovers a problem with its voting system. The vendor would have to notify the state - and any California jurisdiction using the voting system - within five working days of discovering a flaw in software or hardware.

The bill also requires a vendor to disclose any flaws it already knows about systems that are currently in use in the state. These reports will then be submitted to the EAC so that officials in other states will know about them as well. The bill provides for civil penalties of $10,000 per violation against vendors for undisclosed flaws or for making unauthorized changes to a voting system.

Kate Folmar, spokeswoman for the secretary of state's office, said Bowen hopes that the bill, if passed, "could become a model for other states for dealing with similar anomalies and problems that pop up with their voting systems."

-------

For More Information:

Voting Machine Audit Logs Raise More Questions About Lost Votes in Cal Election

Serious Error in Diebold Voting Software Caused Lost Ballots in California County

Unique Transparency Program Uncovers Problems With Voting Software

No comments: