April 21st, 2004

Diebold one step closer to decertification

From the Oakland Tribune, "Diebold knew of legal risks", by staff writer Ian Hoffman:
Attorneys for Diebold Election Systems Inc. warned in late November that its use of uncertified vote-counting software in Alameda County violated California election law and broke its $12.7 million contract with Alameda County. ... [They realized Diebold] also faced a threat of criminal charges and exile from California elections.

Yet despite warnings ... Diebold continued fielding poorly tested, faulty software and hardware in at least two of California's largest urban counties during the Super Tuesday primary, when e-voting temporarily broke down and voters were turned away at the polls.

Other documentation obtained by the Tribune shows that the latest approved versions of Diebold's vote-counting software in this state cast doubt on the firm's claims elsewhere that it has fixed multiple security vulnerabilities unearthed in the last year. ...

"Diebold may suffer from gross incompetence, gross negligence. I don't know whether there's any malevolence involved," said a senior California elections official who spoke on condition of anonymity. "I don't know why they've acted the way they've acted and the way they're continuing to act. Notwithstanding their rhetoric, they have not learned any lessons in terms of dealing with this secretary (of state)."

More details in the full article. This link comes via Ed Felten who got it from Dan Gillmor.

I'm, honestly, extremely surprised by this. Since Diebold's software began to get scrutiny, I've heard nothing but assurances from Diebold that all these problems were either fixed before deployment or fixed now and not present in current election machines. From all appearances they were learning from their mistakes.

We now know they were just lying.

Further, at every e-voting panel or discussion, I hear proponents claim that "testing" is the answer to any and all vulnerabilities. "Certification" is the magic word used to reassure us that "not just any" software can be slapped into voting machines.

From the article: "The memos reflect an argument that the regulations by which California approves voting equipment for elections may never have been properly codified and are unenforceable." In other words, even as they were claiming "certification" was responsible for the safety of the machines, they internally were ignoring certification requirements based on legal advice that they were unenforceable.

AT THE VERY LEAST, let's make certification stringent! Push your congresspeople to fund the NIST-certification portions of the Help America Vote Act (see blog entry below). If we can't have real improvements, like mandatory voter-verifiable ballots, at least let us give teeth to the testing and certification process. At present it's the very worst form of security: a dog-and-pony show that reassures people and takes them off their guard without providing a single bit of actual security.