I could find no one single source for information nor could I validate that the information was in fact accurate. So I took it upon myself to research this issue from the perspective of someone that has spent half of his life in Information Technology.
The following article and supplemental follow-up material are the result of that search to date.
- The original Article (March 2006)
- Q&A With Steve Raborn - Fort Bend County Election Administrator (March 2006)
- Comments on recent Articles in the News regarding "problems" with eSlate
- The Smell Test regarding Hart Intercivic - Follow the Money.
What They Aren't Telling You About The eSlate
When it comes to the issue of eVoting & eSlate, the voter is not getting the whole story.
There have been numerous claims of security vulnerabilities, concerns over exclusive access to the systems and a plethora of rumors of past exploits of the eSlate system.
I have personally spent close to 20 years in information technology. I have a total of nearly 10 years’ experience in security-related processes from credit card fraud control to intrusion prevention.
Is there really anything to be concerned about regarding the Hart InterCivic eSlate system?
According to several information technology publications that specialize in security, Hart InterCivic is testing its own equipment and refuses to participate in third-party peer-reviewed security testing to validate its claims.
In a recent article in Computer World magazine, Marc L. Songini wrote:
“… That’s about whether the verification and validation processes these machines go through are woefully inadequate or not. The e-voting companies aren’t volunteering their systems for independent audits and analysis.”
Is the security in e-voting up to the standards that business executives would demand in their applications? “No way.” “Definitely not.” “Five years ago, yes, but in the current climate, no.” “These guys are betting their critical business processes on software.” “They need to consider who might do harm to that system.” “This level of rigor isn’t applied to e-voting systems.”
I contacted Hart InterCivic and spoke with Gary Gandy, the sales representative for Texas and Fort Bend County, about some of the issues that have been raised about the company’s systems.
What efforts have been made to provide affordable printers for the eSlate systems?
Gary Gandy responded: “The printers are currently available,” adding, “several other states already require a paper trail by law.”
A paper trail in Texas is an issue that has to be addressed by the secretary of state. Legislation was previously drafted but never went anywhere. Because Texas does not require the paper trail, the printers can not be purchased. The state of Texas has also failed to require the latest version of eSlate software that will allow for printing and better security.
Gerry Birnberg, Harris County Democratic Party Chairman, stated “I also do not understand the point about counties not being able to purchase Hart printers. While they are not required to do so at the present time, there is no legal prohibition against their doing so if they want to and if Hart InterCivic’s is willing to sell them to them. A county can use systems which provide voter verifiable paper trails if it wants to, even though the Texas Legislature has not yet required that it do so.”
Convention Strategy Chair John Behrman of Harris County stated “Hart’s VVPAT (voter verifiable paper trail) ‘solution’ only works with its v6 software, which is neither available nor certified for use in Texas. In any case, no elected official from either party has challenged any of Hart’s commercial misrepresentations or monopolistic practices. Hart is the darling of Democratic elected officials who have, simply, no understanding whatsoever of the technical or economic dimensions of procuring, using, maintaining, depreciating, or replacing engineered goods.”
How much would the printers cost?
Mr. Gandy did not know off the top of his head but stated approximately $1,000 to $1,200 each.
What other efforts are there to allow for independent audits and recounts?
Gandy stated “Harris County has previously done this. We would have to talk to Harris County about how that recount was performed.”
Birnberg stated “From my perspective, there is, effectively, no such thing as a recount of electronic voting machine tallies not accompanied by a voter verifiable paper trail. It amounts to no more than asking the machine to regurgitate the figures it previously spit out, but there is no way to check or ‘recount’ the accuracy of the tally at that point – without a paper trail.”
Behrman stated In the two most recent instances of probable cause to investigate first-degree felony vote-tampering in Harris County, the technique of “recovering” cast vote records that were corrupt or unreadable at the Central Counting Station also removed the possibility of forensically examining those records as originally recorded. If the votes had not been tampered
with before, they had been after county officials hastily “recovered” them.
Behrman went on to state “In any case, without VVPAT (Voter Verifiable Paper Audit Trail), there simply is nothing of an original nature to recount. What you see vanishes the moment you press the red button unless you take a camera into the voting booth – a crime in Texas. “
Birnberg stressed the importance that the “Jimmy Carter/Jim Baker Commission on Federal Election Reform specifically recommended retrofitting electronic machines with printers and requiring them on all electronic machines in the future. Also, this is not that partisan an issue – the platform of the Republican Party of Texas specifically calls for a prohibition on all electronic voting machines and systems which do not include a voter verifiable paper trail.”
What has been done to resolve some of the issues seen in 2004?
The problems of reliability with entire daisy chains of systems freezing when one system hangs:
According to Gary Gandy “This is possible but interruption would be brief. Just remove the offending node, reset the system (reboot), the interruption should be very slight and brief, a few minutes at most.”
Malfunctions that deprived voters of their votes:
According to Gary Gandy, “this is not possible; the voter enters an access code (PIN). If the unit malfunctions and a reset is required the system automatically prints what nodes (eSlates) are attached by serial number and lists ‘aborted access codes,’ then the person could re-vote.” These interrupted votes are called “Spoiled Ballots.” The voting judges are fully trained on this issue and the process to allow re-votes. The system is real-time and all activity is recorded. If a voter has a spoiled ballot they need only compare their access code with the automatic print out after a reset to be allowed to vote.
Has the eSlate been through any independent third-party security testing?
Gary Gandy answered this question “yes.” This was done by Symantec @stake Consulting Services and a copy of the report can be downloaded from Hart InterCivic. The consulting started in the fall of 2003 and according to the report itself it is dated as being published on Dec. 7, 2004.
Unfortunately, back in 2004, many of the issues and concerns about security and paper trails were too difficult to implement by the November elections. Some of the concerns allegedly appear to have become reality in that election.
While those concerns appear to have been true in 2004 why are we in 2006 where the same concerns still exist? Hart InterCivic has had two years to develop solutions to the problems and some progress has been made. If concerns about paper trails and auditing are still valid, where are those solutions today?
In my conversation with Gary Gandy, I learned the responsibility lies with the Texas Legislature and the Texas Secretary of State. They failed Texas voters in getting legislation passed that would require a paper trail. Without validating the Version 6 of the eSlate and proper legislation, Hart InterCivic can not sell their solution in Texas.
In the executive summary section of the report it is noted “Symantec @stake consultants advised Hart in making significant changes to the latest version of the eSlate system code and the Hart development process.” In the overview documentation it is stated “The media attention and conflicting expert commentary make the task of securing a DRE voting system particularly challenging.”
The security is challenging, not impossible. The report cites some excellent examples of high-level recommended security practices. If these practices are in fact in place it would seem to be a good process. The problem I see with the report is that they were engaged by Hart InterCivic a year before the reported problems back in 2003. The problems were reported about six weeks before the report was published.
The report is also centered around security design in the development phase of the software. When it comes to security testing, Symantec basically recommended self-testing and internal processes.
This security testing is in fact not a report on testing results, nor is it a documented testing procedure. This report reveals that there is no independent third-party testing of the products for security vulnerabilities, nor does it recommend independent third-party testing.
The “About Hart InterCivic” section on the last page of the report sounds far too much like marketing. The report states, “Hart InterCivic’s name stands for exceptional expertise, absolute accessibility, and trusted transactions. Hart InterCivic is a leader in providing products and services that help redefine the relationship between state and local governments and the citizens they serve.”
For information on how all of this applies to Fort Bend County, read this question-and-answer session with county Elections Administrator Steve Raborn.
What is the final tally?
E-voting is the way of the future. Therefore it is essential to have a system that can be audited by a paper trail. Americans have the right to vote and the government has the responsibility to provide a system that allows for everyone to vote, can be audited and allows for recounts that are separate from the electronic system.
According to Marc L. Songini “There should be much more severe security-testing requirements. The key is, you need to raise awareness that these vulnerabilities do exist and can be exploited, and you need a way of measuring security.”
Based on my conversation with Raborn and others, the Fort Bend County Office of Elections is doing the best job that it possibly can with what equipment it has and the laws and rules that it has to operate under.
The fact is that the secretary of state and our Texas Legislature have failed us in not passing legislation requiring a VVPAT (Voter Verifiable Paper Audit Trail). As long as these requirements do not exist, a lot of the vulnerabilities of the electronic voting system will remain in place with no method for proving or disproving the validity of the system.
The legislature must pass a bill requiring a VVPAT for elections, and require independent third-party security testing of eVoting systems that passes an independent peer-reviewed security testing procedure that evolves with the technology. The state of Texas has failed to approve Version 6 of the eSlate softwhere, which supports printers and is more secure; without that approval no county in Texas can purchase the latest version of eSlate.
Hart InterCivic has a good testing process on paper. It is strictly a high-level internal process with no outside or independent validation of these processes. This is like the fox writing the security procedure for the hen house. The procedure is nice, but is without an independent
third party audit to validate that those procedures in fact work and the results can be measured.
Until Hart InterCivic volunteers its equipment for independent testing, no one will ever know if the eSlate system is in fact secure. Until there are changes in the testing procedures and our state representatives take care of our voting concerns, no one can claim for certain what votes were in fact cast.
Steve Raborn Answers Questions About Fort Bend County's E-voting System
Fort Bend County Election Administrator Steve Raborn participated in a recent question-and-answer interview about the county’s eSlate voting system, with Prescott Small, a Stafford information technology professional.
Q: Have you heard of some of the complaints that occurred in Travis and Harris Counties?
A: Vaguely aware of some of the issues reported but not fluent in them. The machines are specifically designed so that ballots could not be lost.
Q: Does your office train polling place operators on how to handle “Spoiled ballots” in the event of a malfunction?
A: We prefer to call them Cancelled booths. Spoiled ballots are a legally defined term. Reasons for canceled booths are wrong precinct or wrong party (primary) . As long as the ballot is not cast the booth can be canceled.
Q: What is the current version of the software of the eSlate voting system that Fort Bend County has?
A: Fort Bend County uses System Version 3.3.
Q: Could you tell me some about why Fort bend has to use the eSlate voting system we currently have and not the version 6 that is currently available?
A: Any time a new version is released the system needs to be certified on a national level. Texas typically will not certify before a version is certified on a national level. The new versions can not be used until the state of Texas approves them. Til then it is illegal.
Q: Are you aware that sversion 6 supports printers and allows for a Voter Verifiable Paper Audit Trail?
Q: Do you personally have any concerns about the systems?
A: I have no concerns about security, accuracy or reliability. There is room from improvement for the ease of use in setup at the polling place, since a lot of the polling judges are not as comfortable with computer equipment and set-up as some other people. The serial port plugs also can be a problem because pins can get bent requiring repairs or replacement, and can cause
delays in getting a polling opened.
Q: Do you have any further comments you would like to share?
A: Even though versions of the eSlate system are currently available that allow for VVPAT, the state of Texas would not be able to legally use such a system. Even if we had the paper trail today, those pieces of paper could not be used in a recount because Texas law would not allow for it. The laws of the state of Texas has to change before any type of paper trail could be allowed.
Overall satisfaction with the product is high. On a scale of 1 to 10, 10 being excellent, Steve Raborn rates the eSlate system an 8.5.
Steve Raborn’s county has in place a system for monitoring progress and reliability in the eSlate system. They log every call regarding the eSlate system and categorize them. They have reviews of the calls, analyze what went well and what could be done better. They implement those changes and then repeat the monitoring process the next time, Raborn said.
The measurement of their success is that they saw a significant decrease in call volume this last primary because of the changes they made and enhancements in the training for the setup of the systems.
Comments on recent Articles in the News regarding "problems" with eSlate:
Recently there was more news that is current and challenges the credibility and reliability of the eSlate system from Hart InterCivic as well as other eVoting systems.
As published on March 9th in the Star Telegram from Fort Worth, TX:
An undetected computer glitch in Tarrant County led to inflated election returns in Tuesday’s primaries but did not alter the outcome of any local race, elections and county officials said Wednesday.
The error caused Tarrant County to report as many as 100,000 votes in both primaries that never were cast, dropping the local turnout from a possible record high of about 158,103 voters to about 58,000.
Because the errors added votes equally for each candidate, the glitch did not change the outcome of Tarrant County races but narrowed the margin of victory in some statewide races. In the close Republican primary race for Texas Supreme Court, for example, incumbent Don Willett edged past former Justice Steve Smith by only about 1 percentage point with the corrected vote tallies.
Also according to John Covell, a vice president with Hart InterCivic:
The problem stemmed from a programming error by Hart InterCivic, which manufactured the equipment and wrote the software for the local voting system. The system is designed to combine electronic early voting results and totals from paper ballots on Election Day.
The error caused the computer to compound the previous vote totals each time the election totals were updated throughout the night, rather than keep a simple running total, officials said.
“The system did what we told it to do,” said John Covell, a vice president with Hart. “We told it incorrectly.” The program was designed specifically for Tarrant County, and no other counties reported similar problems, elections officials said.
How do we know those votes that were tallied were as the voter intended?
What definitive proof is there?
Granted Fort Bend County uses a different system than Tarrant County and the outcome was “not affected.” This clearly shows that Hart InterCivic’s software is not full proof.
This issue isn’t only about Fort Bend County and eSlate. These problems exist all over the United States and with all of the eVoting equipment manufacturers. There are hundreds of reported incidents across the United States, including reports of successfully hacked systems.
When the votes exist solely as 1’s and 0’s inside the hardware of a computer system how can an audit be valid?
If the system repeatedly gives the same results that does not validate the intent of the voter, it only validates what is inside that system.
Let’s use a 5 pound box of apples analogy:
You have a Box labeled as being 5 pounds of apples. So you count the apples and come out with 25 apples. I can not be certain that I have 5 pounds of apples without a scale. The count is irrelevant without a proper means of validating the intent. In this scenario the intent was to have 5 pounds of apples in the box. The count of what is in the box is irrelevant because we do not have an external method of validating that the intent of 5 pounds was met and recounting has no value
These problems have occurred over and over while Hart InterCivic states that the machines are designed to not allow for errors. Yet we have a specific example where errors have occurred because the machines are "designed to work this way."
…The conventional wisdom was all wrong,” said Wagner, a member of the panel that reviewed the Diebold machines. “It was possible to subvert the memory card without detection.”
No one can not decisively prove voter intent.
My biggest concern is If we have a situation where there is one big error at the wrong place and wrong time causing major negative affects in an election it could completely destroy voter confidence in electronic voting.
The public trust is earned very slowly over time, yet that trust can be completely forfeit overnight. All that the voters demand is confidence in the electoral system. If the Voters loose confidence it will take many years to earn that trust back
As long as these reports of over-votes, lost votes and such continue to arise people are going to be concerned. While I definitely have some doubts in the quality of programming of the equipment I do not have any major concerns about the hardware, other than what Steve had previously pointed out about the cable connections and ease of use in setup and break down.
The integrity of the software is what is at the “heart” of the issue.
Until there is a state mandated VVPAT and independent 3rd party auditing of the equipment and the software then voter confidence will not be very high and could be subject to continuous decline.
With this additional knowledge I have even less confidence in the Hart InterCivic system. They have sold the State of Texas millions of dollars worth of equipment, our tax dollars. They admit it is buggy and yet we can not get the software updated because the legislature has to approve it and certify it first. So most counties are operating with software that is years out of date.
This incident is just more proof that we need a VVPAT (Voter Verifiable Paper Audit Trail).
To answer Steve Raborn’s question: Who are “They”?
That would be Hart InterCivic (and other EVoting companies), the Secretary of State, the Mass Media, the Texas State Legislature.
Personally I don’t think Steve Raborn has held anything back. In fact he will communicate quite freely when asked questions.
One of the bigger problems seems to be that people don’t ask the questions that need to be answered.
The Smell Test Applied to eSlate:
The smell test is still a great and valid method for seeing is some things should be questioned.
It is just amazing the information that can be found:
RES Partners, which invested in Hart’s second and third rounds, is an entity that represents Richard Salwen, retired Dell Computer Corporation vice president, general counsel and corporate secretary, who had also worked with Perot Systems and EDS. Salwen is a heavy contributor to George W. Bush and the Republican Party. (1)
Maximus Inc. is a gigantic privatizer of social services. It cuts deals with state governments to handle child-support collections, implement welfare-to-work and oversee managed care and HMO programs. A Wisconsin legislative audit report found that Maximus spent more than $400,000 of state money on unauthorized expenses and found $1.6 million that Maximus couldn’t properly document. These unauthorized expenses included a party for staff members at a posh Lake Geneva resort; $23,637 for “fanny packs” to promote the company, with the bills sent to the state; and entertainment of staff and clients by actress Melba Moore. Maximus settled for $1 million. (2)
Maximus jumped into the smart-card business and soon afterward entered the elections industry through an alliance with Hart InterCivic.
Tom Hicks, the biggest investor in Maximus/Hart InterCivic, whose voting machines are used in Orange County, bought the Rangers from Bush for many millions more than was paid for the team a few years before by the soon-to-be governor and president, thus in effect financing his various political campaigns. Until recently, Hicks has had an office at the Longworth Building in D.C. close to GOP allies. (3)
(1) – Austin Business Journal, 8 November 2001; “Investors cast $7.5M vote for Hart InterCivic.”
(2) – Global Energy Business, 1 August 2001; “CAES: Ready for prime time” 34 Vol. 3, No. 4”
(3) – CBS News, December 14, 1999; “Stars owner Hicks to buy Rangers for $250 million”