Wednesday, March 4, 2009

Diebold Voting System Has 'Delete' Button for Erasing Audit Logs

Via Wired.com -

After three months of investigation, California's secretary of state has released a report examining why a voting system made by Premier Election Solutions (formerly known as Diebold) lost about 200 ballots in Humboldt County during November's presidential election.

But the most startling information in the state's 13-page report (.pdf) is not why the system lost votes, which Wired.com previously covered in detail, but that some versions of Diebold's vote tabulation system, known as the Global Election Management System (Gems), include a button that allows someone to delete audit logs from the system.

Auditing logs are required under the federal voting-system guidelines, which are used to test and qualify voting systems for use in elections. The logs record changes and other events that occur on voting systems to ensure the integrity of elections and help determine what occurred in a system when something goes wrong.

"Deleting a log is something that you would only do in de-commissioning a system you're no longer using or perhaps in a testing scenario," said Princeton University computer scientist Ed Felten, who has studied voting systems extensively. "But in normal operation, the log should always be kept."

Yet the Diebold system in Humboldt County, which uses version 1.18.19 of Gems, has a button labeled Clear, that "permits deletion of certain audit logs that contain — or should contain — records that would be essential to reconstruct operator actions during the vote-tallying process," according to the California report.

The button is positioned next to the Print and Save As buttons (see image above), making it easy for an election official to click on it by mistake and erase crucial logs.

In fact, the report says, this occurred recently in a California county when an official, while attempting to print out a copy of a so-called "poster log," inadvertently deleted it instead.

The system provides no warning to the operator that clicking on the button will result in permanent deletion of records in the log, nor does it require the operator to confirm the action before executing it.

[...]

The report states that the inclusion of the button violated the federal voting-system standards under which the Premier/Diebold system qualified to be used in elections. The standards require that voting-system software automatically creates and permanently retains electronic audit logs of important system events that occur on the machine.

Premier/Diebold did not respond to a request for comment.

The Clear button isn't the only problem with the audit log in the Premier/Diebold system. Wired.com previously reported other issues with the logs — for example, they don't record significant events that occur in the tabulation system, such as when someone deletes votes from the software.

The California report states that the Clear button and other issues should have been a red flag to the testing laboratories that certified the system. The system should have flunked certification-testing and been banned from the election.

Under the official voting-system standards, "each of the errors and deficiencies in the Gems version 1.18.19 software described in this report, standing alone, would warrant a finding ... of 'Total Failure'," the report concludes.

"Presumably some organization, some lab, looked at this system and decided they thought it complies with the standard," said Felten. "And, obviously, they were wrong. Any state that uses Gems should be looking at this seriously."

It's unclear what the states currently using the Gems system will do now that they know their voting software does not create an adequate audit trail.

California's secretary of state has scheduled a public hearing on March 17 (.pdf) to discuss the report and whether version 1.18.19 of Gems should be decertified in the state. That would force counties in the Golden State to upgrade to a different version.

-----------------------------

If this feature is only required in special testing or de-commissioning scenarios, then why is it even accessible in normal operation mode?

Shouldn't there be a special maintenance boot mode which then allows access to these functions??

Voting software should be open-source in my view....

No comments:

Post a Comment