Sunday, October 14, 2007

Nedap (LibertyVote) machine hacked

The following was originally published in The Bridge, POB 292, Cobleskill, NY

Voting Machine Security Questioned
Schoharie County citizens take heed.
16 March 2007 By Wayne Stinson

This past fall a group of computer savvy election integrity activists in The Netherlands undertook a security analysis of the voting machine widely used in their country. The group, "The We Do Not Trust Voting Computers Foundation," disassembled, decoded and examined three Nedap/Groenendaal ES3B electronic voting computers. These machines, which are also used in France and Germany, have been in use for several years and are said to record 90% of the votes cast in The Netherlands. This security analysis is very critical of the Dutch voting machine. The report of the Nedap security analysis was recently translated into English and became available to election integrity activists here in the United States.

So, of what concern is it to Schoharie County citizens that a bunch of Dutch nerds have torn apart some electronic voting machines? Ah, of much concern it seems. Let me explain.

The federal Help America Vote Act of 2002 (HAVA) requires states to modernize their election equipment and administration. HAVA also provided over three billion dollars for implementation of the required changes. New York State is compelled by the new law to replace all its old lever type voting machines thus creating a 200 million dollar opportunity which has attracted several voting machine manufacturers. A small actor in the New York State election services industry, Mr. Robert Witko of Fort Orange Press in Albany, formed a new business to market electronic voting machines to New York State.

That new business is Liberty Election Systems, a limited liability corporation with an address of 11 Sand Creek Rd., Albany, the same address as that listed for Fort Orange Press. Because Fort Orange Press and Mr. Witko have a long-standing business relationship with election officials, Liberty Election Systems has taken an early lead in the NY market. Despite the more than 1.5 million dollars spent by lobbyists for Liberty’s competitors over the past few years, many upstate election commissioners have expressed a preference for the LibertyVote. Schoharie County’s two election commissioners, Lew Wilson and Cliff Hay, have repeatedly stated that their choice of a new voting system is the LibertyVote machine and associated software products offered by Liberty Election Systems.

Liberty Election Systems does not build a voting machine or develop software to count votes. The products they are marketing are imported from The Netherlands. The manufacturer of the LibertyVote is Nedap and the author of the associated software is Groenendaal. The voting equipment Mr. Witko hopes to sell New York State is the same machinery the Dutch researchers disected and reviewed in their security analysis. A voter verifiable paper audit trail (VVPAT) printer has been added to comply with New York State law but the LibertyVote is essentially the Nedap/Groenendaal machine.

So, back to that security analysis we need to heed. Perhaps a quote from the report will best convey the information needed by Schoharie County’s citizens. Consider this from the introduction to the report:

"…the over-all security design of this computer relies almost solely on the near-universally deprecated concept of ‘security by obscurity.’ Since the problems we found stem from the very design philosophy, we see no quick fixes that could make this device sufficiently secure."

The report goes on to detail a variety of serious security failures of the machine and software from cheap, easily picked mechanical locks to sophomorically simple passwords allowing access to system management functions. A lack of appreciation for security by the manufacturer is further revealed by the use of inappropriate materials. The report states:
"…we believe it is significant to notice a pattern here: Tell Nedap they need to incorporate a lock and they pick the cheapest lock imaginable. Tell them to put a seal on it and they laser print their company logo on some paper labels."

Lest the reader assume these criticisms are just the ranting of some opinionated luddites I offer this observation made by Andrew Gumbel in his 2005 book Steal This Vote: Dirty Elections and the Rotten History of Democracy in America :
"In Europe the prime motivation for e-voting has not been the elimination of fraud, but rather the hope that the growing problem of voter apathy can be stemmed by making the process quicker and more painless. The Netherlands has been a pioneer in developing DREs, although it has focused almost exclusively on ensuring the technical solidity of the machines and given little or no thought to security measures or a paper backup."

Of course the main point of Gumbel’s book is the pervasiveness of electoral fraud here in the United States. We really do need to be concerned about fraud and a machine like the LibertyVote can only make matters worse on that score. The full Dutch security analysis report can be seen at : http://www.wijvertrouwenstemcomputersniet.nl/images/9/91/Es3b-en.pdf .

Do Lew Wilson and Cliff Hay know about this report? Probably not, but we will make sure they are advised. Likewise, the New York State Board of Elections will be apprised. Certainly the agency responsible for certification testing of the LibertyVote will need to see this report and hopefully will take a second look at the weaknesses our Dutch friends have documented. We will make sure they see it.

And we hope our readers will be moved to contact their supervisor representative and demand that the county Board of Supervisors prevent our Election Commissioners from imposing the LibertyVote electronic voting machine on the voters. We also do not trust voting computers. We reject electronic voting machines. And we know paper ballots will help preserve our democracy.

Wayne Stinson is the Coordinator of the Peacemakers of Schoharie County Voting Integrity Project. He can be reached at 518-287-1463 or airhead@midtel.net .

No comments: