Election Fraud in Kentucky

I think this is the first documented case of election fraud in the U.S. using electronic voting machines (there have been lots of documented cases of errors and voting problems, but this one involves actual maliciousness):

Five Clay County officials, including the circuit court judge, the county clerk, and election officers were arrested Thursday after they were indicted on federal charges accusing them of using corrupt tactics to obtain political power and personal gain.

The 10-count indictment, unsealed Thursday, accused the defendants of a conspiracy from March 2002 until November 2006 that violated the Racketeering Influenced and Corrupt Organizations Act (RICO). RICO is a federal statute that prosecutors use to combat organized crime. The defendants were also indicted for extortion, mail fraud, obstruction of justice, conspiracy to injure voters' rights and conspiracy to commit voter fraud.

According to the indictment, these alleged criminal actions affected the outcome of federal, local, and state primary and general elections in 2002, 2004, and 2006.

From BradBlog:

Clay County uses the horrible ES&S iVotronic system for all of its votes at the polling place. The iVotronic is a touch-screen Direct Recording Electronic (DRE) device, offering no evidence, of any kind, that any vote has ever been recorded as per the voter's intent. If the allegations are correct here, there would likely have been no way to discover, via post-election examination of machines or election results, that votes had been manipulated on these machines.

ES&S is the largest distributor of voting systems in America and its iVotronic system --- which is well-documented to have lost and flipped votes on many occasions --- is likely the most widely-used DRE system in the nation. It's currently in use in some 419 jurisdictions in 18 states including Arkansas, Colorado, Florida, Indiana, Kansas, Kentucky, Missouri, Mississippi, North Carolina, New Jersey, Ohio, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, Wisconsin, and West Virginia.

ArsTechnica has more, and here's the actual indictment; BradBlog has excerpts.

The fraud itself is very low-tech, and didn't make use of any of the documented vulnerabilities in the ES&S iVotronic machines; it was basic social engineering. Matt Blaze explains:

The iVotronic is a popular Direct Recording Electronic (DRE) voting machine. It displays the ballot on a computer screen and records voters' choices in internal memory. Voting officials and machine manufacturers cite the user interface as a major selling point for DRE machines -- it's already familiar to voters used to navigating touchscreen ATMs, computerized gas pumps, and so on, and thus should avoid problems like the infamous "butterfly ballot". Voters interact with the iVotronic primarily by touching the display screen itself. But there's an important exception: above the display is an illuminated red button labeled "VOTE" (see photo at right). Pressing the VOTE button is supposed to be the final step of a voter's session; it adds their selections to their candidates' totals and resets the machine for the next voter.

The Kentucky officials are accused of taking advantage of a somewhat confusing aspect of the way the iVotronic interface was implemented. In particular, the behavior (as described in the indictment) of the version of the iVotronic used in Clay County apparently differs a bit from the behavior described in ES&S's standard instruction sheet for voters [pdf - see page 2]. A flash-based iVotronic demo available from ES&S here shows the same procedure, with the VOTE button as the last step. But evidently there's another version of the iVotronic interface in which pressing the VOTE button is only the second to last step. In those machines, pressing VOTE invokes an extra "confirmation" screen. The vote is only actually finalized after a "confirm vote" box is touched on that screen. (A different flash demo that shows this behavior with the version of the iVotronic equipped with a printer is available from ES&S here). So the iVotronic VOTE button doesn't necessarily work the way a voter who read the standard instructions might expect it to.

The indictment describes a conspiracy to exploit this ambiguity in the iVotronic user interface by having pollworkers systematically (and incorrectly) tell voters that pressing the VOTE button is the last step. When a misled voter would leave the machine with the extra "confirm vote" screen still displayed, a pollworker would quietly "correct" the not-yet-finalized ballot before casting it. It's a pretty elegant attack, exploiting little more than a poorly designed, ambiguous user interface, printed instructions that conflict with actual machine behavior, and public unfamiliarity with equipment that most citizens use at most once or twice each year. And once done, it leaves behind little forensic evidence to expose the deed.

Read the rest of Blaze's post for some good analysis on the attack and what it says about iVotronic. He led the team that analyzed the security of that very machine:

We found numerous exploitable security weaknesses in these machines, many of which would make it easy for a corrupt voter, pollworker, or election official to tamper with election results (see our report for details).

[...]

On the one hand, we might be comforted by the relatively "low tech" nature of the attack -- no software modifications, altered electronic records, or buffer overflow exploits were involved, even though the machines are, in fact, quite vulnerable to such things. But a close examination of the timeline in the indictment suggests that even these "simple" user interface exploits might well portend more technically sophisticated attacks sooner, rather than later.

Count 9 of the Kentucky indictment alleges that the Clay County officials first discovered and conspired to exploit the iVotronic "confirm screen" ambiguity around June 2004. But Kentucky didn't get iVotronics until at the earliest late 2003; according to the state's 2003 HAVA Compliance Plan [pdf], no Kentucky county used the machines as of mid-2003. That means that the officials involved in the conspiracy managed to discover and work out the operational details of the attack soon after first getting the machines, and were able to use it to alter votes in the next election.

[...]

But that's not the worst news in this story. Even more unsettling is the fact that none of the published security analyses of the iVotronic -- including the one we did at Penn -- had noticed the user interface weakness. The first people to have discovered this flaw, it seems, didn't publish or report it. Instead, they kept it to themselves and used it to steal votes.

Me on electronic voting machines, from 2004.

Posted on March 24, 2009 at 6:41 AM • 49 Comments

Comments

CGomezMarch 24, 2009 7:17 AM

Well our leaders panicked in the face of ambiguous voting in FL. Perforated punch cards had already been warned against by an FEC study years prior to 2000.

We aren't very good experts at secure systems, like voting. We elect people who aren't very good at it either.

They get bamboozled by salesmen who convince them you have to "modernize" the system.

Good old fashioned paper that you unambigiously mark to cast a vote is still the best method. There isn't even anything wrong with punching holes in cards as long as they aren't perforated ahead of time. The key is being able to review the votes later.

No system is perfect. Sometimes we'll have to guess a user's intent, but that will at least be based on actual evidence.

Any system that doesn't let us review evidence that a voter meant something is already flawed.

WernerMarch 24, 2009 7:35 AM

Thank heaven for our German Supreme Court that just recently "forbid" electronic voting systems.

While the court has not completely ruled out electronic voting systems, the judges defined very strict requirements that in fact no known system can fulfill these requirements.

RandyMarch 24, 2009 7:53 AM

Perhaps this will be the wake-up-call in the USA to eliminate these paperless voting machines.

In my district, we use the optical scanners, so there is a paper record. Honestly, what's so difficult about these?

Randy

sooth sayerMarch 24, 2009 8:09 AM

I am glad it's not a "high tech" exploit - but routine what normally is called ballot-stuffing.

I still hold that absentee ballot fraud in US is 10000000 times bigger than any you will find in electronic machines.


BlahMarch 24, 2009 8:10 AM

Errm.. what?

This has absolutely nothing to do with the machines. It's clearly due to human failure. This is like if someone would takes your piece of paper out of the box, shred it, and re-vote for you again. Maybe they even did it in the past, nobody would ever know. The insecurity lies in the 'voting personal', not in the machine.

Paul CrowleyMarch 24, 2009 8:10 AM

People should hardly be reassured that the attack that was discovered didn't make use of the various ways to use DRE to attack voting in undiscoverable ways.

CalumMarch 24, 2009 8:30 AM

I don't know about anywhere else, but in the UK your ballot paper has a serial number which can in theory be traced back to the voter that cast it, preventing simple ballot stuffing and replacement votes. This obviously isn't ideal, but in a paper system it's hard to provide audit and anonymity; perhaps in Zimbabwe it would be a bad idea but it seems to work here, more or less.

Liam SpencerMarch 24, 2009 8:40 AM

Arrgh.

Paper/Optical Scan Ballots.

Candidates' observers allowed during the whole process (minus being behind the screen) and at the count.

It's NOT elliptic curve cryptography, people.

Canada and Minnesota have it right.

Kentucky PoliticianMarch 24, 2009 8:45 AM

Before anyone tries to bring up a partisan flame-war, both major parties were represented amongst those arrested.

CybergibbonsMarch 24, 2009 8:46 AM

@Blah
There is a fault with the machines - they could be designed so that the user interface and feedback to the user meant they were absolutely 100% sure that the vote had been entered into the machine. Ambiguous instructions and someone nearby to slightly alter the perception of when a vote was entered meant that many people had their vote modified.

The beauty of this is that there is no real way of seeing that it has happened. This is along the lines of marking your vote with a pencil and handing it to someone who says they'll put it in the ballot box - as compared to marking it in pen and placing it in the box yourself.

Shredding slips and making new ones requires the disposal of the old slips and creation of new ones, something that would be hard to do covertly.

CybergibbonsMarch 24, 2009 8:56 AM

@Liam

It's all about the perceived benefits of one system over another though. Electronic voting systems are seen as being quicker, more efficient, have less spoiled ballots, and by some as more secure. Some of these benefits may be real.

Paper systems have their disadvantages as well - but generally these are known and we have mechanisms in place to prevent fraud.

DaveMarch 24, 2009 9:04 AM

I was a poll worker in Indiana in November. We used a non-touch-screen electronic voting machine. It had the red cast vote button. In Indiana we are required to have one Democrat and one Republican judge present at all times while the polls are open. Both judges must be present when dealing with an active ballot (whether assisting someone with questions (about the procedure of voting--we were not allowed to answer questions relating to politics or candidates at all) or a disability or one where someone walked away from an uncast ballot). We were instructed by the officials to cast the ballot as-is in the case of walk-aways. Both judges would page through to the final page and cast the ballot without making any changes. I thought it was a very good system with the check/balance of the opposing party being present. We were all interested in running a very clean, accurate election reflecting the voters' intentions. The major weakness I see in this system is it definitely plays to the two major parties while marginalizing any third parties. As far as I know, third parties would be allowed to have pre-approved poll observers present, but not poll judges.

TimHMarch 24, 2009 9:39 AM

Anyone else amused by the irony that "ES&S ... voting systems ... is ... currently in use in some 419 jurisdictions"? Welcome to Lagos, man!

KevinMarch 24, 2009 10:33 AM

In Chicago, we are required to "have one Democrat and one Republican judge" present, but the judges don't have to actually be members of the party they represent -- in practice, both are nearly universally democrats.

Petréa MitchellMarch 24, 2009 11:14 AM

"it was basic social engineering"

I'd call it a usability screwup. The fact that it can be exploited for malicious purposes is secondary. Even with honest election workers, this is bound to lead to spoiled ballots when people don't confirm their vote.

I'd also say that this is the same class of usability problem as presented by having a voter confirm a printout. I hope the voting machines with paper trails have been properly tested to ensure that they communicate to the user that the presence of a "receipt" does not mean the process is actually complete.

RoyMarch 24, 2009 11:59 AM

Since the incumbents decide what voting mechanisms will be used, we can count on them to shop around for the system that will let them cheat the most, thus retaining their incumbency even if the actual vote count would have booted the bums out of office, and enabling their political allies to take office when they lose the actual election, since the actual is not reflected in the outcome.

SeerMarch 24, 2009 12:20 PM

Hey Bruce! This isn't the only election fraud going on this past year. Check out the GEMS system, who's "audit trail" doesn't record events like "deleting votes". How crazy is that? Even in my high school over a decade ago, everyone in Pascal class created a vote counting system that had an audit trail that counted everything!

See http://www.bradblog.com/?p=6995 for more info.

Reality CheckMarch 24, 2009 12:32 PM

Maybe its time for some class-action suits against the various states and jurisdictions that use these particular machines. They should be charged with knowingly compromising the voting processes by using machines which have been shown to be unreliable, etc.

lukegMarch 24, 2009 12:59 PM

A red bar at the top would be nice - it stays red during the entire voting process, and says, "Your vote is not yet complete!"

When the final click is registered, it turns green, says, "Your vote IS complete!" Other fraud could still be perpetrated, but at least this one instance of UI confusion would be minimized.

Aaron GrattafioriMarch 24, 2009 1:02 PM

I would encourage people to support the Open Voting Consortium. Any technical voting system will have trouble defending against malicious poll workers (and officials) via non-technical attacks. While social engineering will always be a problem (one might even mention most campaign ads in that discussion) this is a step in the right direction.

Open source voting is the way to go!
http://openvotingconsortium.org/

I still laugh when I think of this:
http://preview.tinyurl.com/ctw9v5
Diebold is just terrible.

A nonny bunnyMarch 24, 2009 1:33 PM

@LandruBek
> Sorry for the pedantry, but the word is
> "malice," not "maliciousness."

They are both correct words. And arguably not precisely the same thing, if you want to be pedantic.

MartinMarch 24, 2009 2:57 PM

@Liam Spencer

Educate me! What do Canada and Minnesota do differently? Unfortunately the existence of Little Canada, Minnesota makes googling difficult...

JebMarch 24, 2009 3:49 PM

It's not a tough problem, really - just use the "voting machine" as a printer and UI; they're much better for this than punch cards with confusing arrows, and harder to alter than paper "mark one with a pencil" type of ballots. Don't use the voting machine as a vote recorder - that's the security risk, and it's a risk that didn't exist before poorly implemented electronic voting machines pushed out the other methods.

TimMarch 24, 2009 4:37 PM

I want a receipt with a number on it which I can use later to check anonymously on line to verify my vote.

Carlos GomezMarch 24, 2009 4:43 PM

@Martin: I'm not sure what Minnesota does but Federal elections in Canada are run with paper ballots.

prairiedockMarch 24, 2009 6:23 PM

Election fraud should be a capital crime. (This implies nothing about what the proper punishment for capital crimes should be.) In terms of negative consequences to society, there is no more serious crime.

BetaMarch 24, 2009 6:28 PM

@Tim: "I want a receipt with a number on it which I can use later to check anonymously on line to verify my vote."

It had better be a receipt you write yourself, with a number you copy from the ballot and a random bit at the end you can reverse. Otherwise somebody can tell you how to vote and demand the receipt afterward. You must be UNABLE to prove how you voted.

Liam SpencerMarch 24, 2009 7:44 PM

Minnesota has optical scan ballots, an audit trail six ways from sundown, and "voter intent" laws for manual recounts with candidate's observers. The still-unresolved recount in the Minnesota Senate race has been 100% transparent, every challenged ballot was available to the public when judges ruled on them.

Canada has a uniform and purely paper ballot system. Mark something distinguishable in the little oval next to the name of the candidate you want.

The Candidates' representatives can watch the DRO seal the box, watch every voter approach it, check every voter against their own list, and challenge any voter they want for qualifications.

The count is done by hand after the polling place closes, by the ballot box's DRO, in full view of Candidates' representatives. At that point, ballots can be challenged. The DRO phones in the count and personally takes the box to headquarters.

My experience has had two obviously spoiled ballots (deliberate) and one where voter intent was clear but violated guidelines (the check mark was on the name instead of in the oval).

One of the reasons this works for Canada:

Federal and provincial elections only have a single candidate or issue on the ballot.

Municipal elections can have a few things up at once, but never more than 4 or so. Individual ballots are printed for each office/initiative.

Hand-counting would be a nightmare for a ballot the size of Minnesota's. Also, I prefer the voter intent laws of Minnesota.
Optical scan works for a preliminary result, and if that's outside the margin of error, it'd be good enough for me.

AnonymousMarch 24, 2009 9:57 PM

RICO for this? Always the small crap, and NEVER the real stuff. Easy pickings, and more distractionary bs.

USA has real problems to SOLVE. Oh well, pre 9/11 world dodgeball games.

FrancesMarch 24, 2009 10:16 PM

My municipality, the City of Toronto, uses optical scanning. The ballots are quite large and each name has a broken arrow beside it. You complete the line to vote then give the ballot to the poll clerk who places it in a folder which feeds the ballot through the scanner and into the attached box. There will probably be at least 3 offices for which to vote - mayor, councillor and school trustee.

RonKMarch 25, 2009 1:15 AM

@ Calum: "in the UK your ballot paper has a serial number"

Oh there's a big surprise! That's an incredible - I think I'm going to have a heart attack and die of not surprise!

Wouldn't it "save printing costs" and "increase voter security" if they just put a few extra surveillance cameras in the voting booths? They must be getting volume discounts on them, no?

[sarcasm off]

CalumMarch 25, 2009 4:52 AM

@RonK: Alternatives? How about, I go in, 7am, to cast my vote, and instead I filch my ballot paper. I go home, spend twenty minutes with photoshop, and print up a few thousand papers of my own. My accomplices then all go and drop as many votes in the box as they can fit (engineer distraction as required).

Please, feel free to be sarcastic, but just be aware that not everything is as obvious as it seems; otherwise, we would most likely already be doing it.

LyleMarch 25, 2009 6:31 AM

@bob - election fraud is close to treason. It's an attempt to subvert our way of government. It's not quite the same as developing off-budget sources of funding for a unit of assassins that reports to executive branch and isn't overseen by the legislature or the judiciary, but it's in the same family.


Apropos of the story, "...voting not secure, says CIA".

http://www.mcclatchydc.com/homepage/story/64711.html

thefoolMarch 25, 2009 10:13 AM

@Calum In any paper vote I've seen, voters don't put the ballot in directly, an official does (to make sure it's a real ballot and there's only one). Plus they'd notice if they gave you a ballot and then you walked out without casting it.

metooMarch 25, 2009 10:25 AM

@ kentucky politician, did you get in on the mass pardon by gov. fletcher, what an admission that kentucky is a 'failed state' only a completely corrupt administration needs to pardon all participants. not surprising in kentucky.
Im surprised bush didn't do that. He probably just didn't care about anyone but himself.

Liam SpencerMarch 25, 2009 11:01 AM

@Calum


Canadian system: You're given a #'d ballot, you go behind a screen, fill it out, fold it with a visible serial # tag. You then hand the ballot to the DRO, who (if it's folded correctly) tears off the serial and hands you back the ballot to place in the box.

During the count, the DRO needs to account for every used(valid or not) and unused ballot, match that with the number of voters (determined by the number of previously registered voters shown to have voted plus number of new registrants)

The DRO or the poll clerk is always withing arm's reach of the box, which is in full view of the candidates' observers and all voters in line.


.. Mind you, there's one joker in Pictou who has, on multiple occasions, stolen a box and thrown it in the river or run over it with his truck. For some reason the locals haven't caught on yet.

Bob YornMarch 25, 2009 2:37 PM

Before anyone tries to bring up a partisan flame-war, both major parties were represented amongst those arrested.
**********************************
But the democrats are innocent, they were set up.

TheGunGeekMarch 25, 2009 11:05 PM

Having worked in a lot of elections for a number of years now using the very voting terminals in this story, I can tell you that this method takes at least two workers in the precinct working together to pull it off. You would probably have to hit the Back button multiple times to get to the screen you wanted to change, then hit the Forward button the same number of times to go back to where you cast the vote then hit the Vote button and then the confirmation button. It's REAL OBVIOUS that you are cooking the books, probably even to any other voters there and especially to any poll observers. Every place I've been, they have a policy that if someone forgets to hit the confirmation button (which can be determined without even looking at the terminal just by listening) two poll workers have to go over to confirm the vote and that's only if they don't catch the person in time to have them do it themselves.

Of course, to do this on any kind of scale, you'd have to have a whole lot of people working together in a lot of precincts. Like I said, at least two in each polling place. The reality is that ALL of the workers there would need to be in on it (unless you limit yourself to cheating while the non-participant goes out to lunch) and you'd have to have no poll watchers there because they'd catch what was happening or else they'd have to be in on it as well.

Throw in having the people in line seeing what was going on and this is just not a very practical method. Sure, it must have done some good where it was used, but they also got caught.

BF SkinnerMarch 26, 2009 6:40 AM

Diebold admits their software has "flaws". Like the inability to record if a vote has been deleted. http://www.fcw.com/Articles/2009/03/23/Web-Diebold-admits-voting-system-flaws.aspx

Some might call that a screaming failure to conform to requirements but let's go with "flaw" for the moment.

They are hiring - http://www.premierelections.com/about_us/careers/ - Information Security Consultant/Architect - IT Security Solutions (11E)-CM08112603MZ

It's a shame really Diebold used to make really good security containers.

Joe HallMarch 26, 2009 9:37 AM

Hi Bruce! There have been a few other cases of documented fraud with e-voting machines in the U.S. Roy Saltman points out a case in his book where a couple poll workers in Chicago ran a few optical scan ballots through a precinct-count optical scan voting machine (they were caught when the totals didn't reconcile with the number of ballots in the hopper). There have also been a few cases of election workers "peeking" at results before polls closed... the best documented case here was in Tucson Arizona in 2007, I believe.

Jonadab the Unsightly OneMarch 27, 2009 6:32 AM

> And once done, it leaves behind little
> forensic evidence to expose the deed.

What it leaves behind instead is a guilty pollworker at EVERY SINGLE voting location where the scam was pulled. You might be able to rig a mayoral election this way and get away with it, but if you're systematically changing the outcome of a federal election, you're going to have thousands of witnesses, if not tens of thousands. If 1% of them can't keep their mouths shut afterward, you're going to prison.

Michael SeeseMarch 31, 2009 4:29 PM

Better late than never . . .

As someone pointed out, you could have a big, red flashing bar which states, "You're not done." But (despite what they were told) if after hitting "vote" and another screen pops up saying "confirm" . . . well, pay attention!

RobertoApril 15, 2009 6:53 AM

If there is no way to do a recount, if there is no "evidence, of any kind, that any vote has ever been recorded as per the voter's intent" (paragraph one) then the election is not free and fair.
Who owns these machine companies and what is in their political interest?

jim bobApril 15, 2009 11:38 AM

Eastern Kentuckians are the world experts in committing vote fraud. Companies should embrace this by hiring the mountain boys to test their security.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.