Verified Voting Logo
Edit Your PreferencesContact VerifiedVoting.orgAbout VerifiedVoting.org
Verified Voting HomeJoin - Help us do this work!Donate - Help us do this work!Take Action Today!Endorse the resolution!
Printer Friendly Version

See information for:

The Verified Voting Foundation engages in educational activities permitted by IRC Section 501(c)(3). Please visit VerifiedVoting.org for info about 501(c)(4) lobbying activities. You can also visit Vote Trust USA, a project of the Verified Voting Foundation. Also, check out our blog and twitter feed.

E-Mail This Page

Home   »  Texas: Voting System Allows ...


Texas: Voting System Allows "Corrections"

by Warren Stewart, Senior Project DirectorVerified Voting Foundation
November 20th, 2007

A Houston Chronicle article  last week described how, following the November 6 election, Harris County election administrator Johnnie German “used high-security codes to tap into the Harris County elections computer system last week and change some of the results manually.” It seems that the Hart Intercivic voting system used in Harris County allows anyone with access and a passcode to modify vote totals from an election without leaving any record of the modification.

But it gets worse. According to Dan Wallach of Rice University's Computer Security Lab, who served on the task force that recently studied the Hart system as part of the California Secretary of State’s electronic voting system review , the "encryption key" code can be extracted from voting equipment at any precinct.

The necessity for modifying the vote totals in Harris County was the result of confusion during early voting caused by split precincts resulted in 293 voters in Emergency Services District No. 9 being given the wrong ballot and therefore being unable to express an opinion on a sales tax referendum for a fire/ambulance district in the Cypress-Fairbanks area of the county since it didn't appear on their screens.

Computer expert John R. Behrman, who observed the vote adjustments, said he was “shocked” when he saw German use a series of passwords and an "encryption key" -- a series of numbers on a nail file-size computer memory storage device -- to reach a computer program that said "Adjustment." Shocking indeed.

"A hundred percent of precincts reporting, and everything had been distributed to the press," he said. "Then and only then did I see how they were going to do this, and frankly I never thought it was possible.

"Basically it turns out, without regard to any ballots that have been cast, you can enter arbitrary numbers in there and report them out in such a way that, unless you go back to these giant (computer) logs and interpret the logs, you wouldn't know it has been done."

It is reasonable that an electronic voting system should provide administrators with procedures with which to make such corrections - if such procedures are secure and accountable. However it seems that the Hart “Adjust” feature fails to provide adequate security or even follow fundamental accounting principles.

With reference to the section of the California team’s report on their review of Hart’s source code that describes the "vote adjustment" feature, Professor Wallach explained in an email posted on Charles Kuffner’s Blog:

Hart's tabulation system, "Tally" supports a feature that allows an election administrator (i.e., somebody who knows the special administrator password, has the appropriate USB key token, and has access to the Tally machine) to make pretty much arbitrary changes to the election totals. This functionality operates by directly editing the totals, which goes entirely against standard bookkeeping practices (where you never, ever overwrite a number in the books; you instead add a line to the books that states what the correction is and where the error occurred). Hart's basic design allows for innocent mistakes to go uncorrected, since there is no easy way to audit any corrections that may have been made. Corrections do not show up on official election reports.

As a secondary matter, the security features, intended to prevent unauthorized users from accessing this feature, are similarly inadequate. The password necessary to interact with the database is stored on the disk where any user of the machine can easily access it (see our report, pages 48-49, "Issue 15: Database passwords are stored insecurely"). Similarly, the USB tokens, used to manage cryptographic keys, turn out to all contain precisely the same key, which is used throughout the county. The very same key is stored inside machines in every precinct and can be easily extracted (see our report, pages 55-57, Section 6.7, "Cryptographic Key Management").

So, indeed, Hart has multiple lines of defense. Unfortunately, every one of them is incorrectly engineered, rendering the system entirely vulnerable to compromise. Of course, I am not stating that any such compromise has ever happened in Harris County. What I am saying is that the design of the Hart system is entirely insufficient to prevent such attacks, should a competent attacker wish to make them.

Wallach also notes that as a result of the review of Hart’s system, the California Secretary of State imposed a variety of conditions on the use of Hart systems, but that in Texas, such procedures are far behind the California standards – and in his opinion are unacceptably error-prone and insecure.

If Texas were to adopt all of the conditions of how voting systems are used in California (including parallel testing, mandatory paper trails, mandatory audits of the paper trails, limits on the number of DREs per precinct with most voters casting optical scan paper ballots, and so forth) that would be a great start.

Hart Intercivic equipment is used in 16 states nationwide. Some of those states have some of the security procedures that Wallach mentions in place, but many do not. Safeguards to help mitigate these security concerns like those required in California can and should be implemented in all jurisdictions using electronic voting systems.

Above all, it is important to note that the election official in Harris County rightly required bi-partisan observers to be present when he made the correction. Under no circumstances should this type of process occur without appropriate observers, so that everyone understands the purpose for the correction and can verify how it was accomplished. Ideally citizens should be invited to observe as well, not just representatives of political parties.

Announcements

August 26, 2010
On India’s Electronic Voting Controversy
August 25, 2010
Pac-Man for president: Hack highlights e-voting flaws
August 6, 2010
Voting Technology Research Gets In-Depth
July 27, 2010
State Election Officials: Recountable Process A Must for Overseas Voters
July 20, 2010
Online Voting: All That Glitters Is Not Gold (Unless You're a Vendor)
June 21, 2010
Voting Without A Net In South Carolina
June 17, 2010
Voting results in New Jersey should not be mysterious
June 16, 2010
Verified Voting Calls for Recountable, Auditable Voting Systems Following South Carolina Primary
June 16, 2010
Voting integrity groups call for investigation of South Carolina voting systems in wake of unexpected primary results in Democratic US Senate race
June 15, 2010
On the South Carolina Primary
May 23, 2010
Benefits, risks of e-mail ballots weighed
May 4, 2010
PA - Team 4: Security Concerns About Voting Machines Remain
April 26, 2010
California Assembly committee endorses UC Berkeley statistician's election auditing method
March 8, 2010
Feds Move to Break Voting-Machine Monopoly
March 2, 2010
Is the Internet the Right Place for Our Ballots? Election Administration and Voting Rights Thought Leaders Weigh in on the Future of Overseas Voting at Summit 2010
February 25, 2010
Minnesota Civic Groups Refute Recount Claims
February 17, 2010
Groups and Election Officials Warn Department of Justice that Voting Machine Vendor Merger will Inflate Costs to Taxpayers, Threaten Election Accuracy and National Security
February 11, 2010
Fla. justices uphold local election law
February 3, 2010
NJ Judge Issues Mixed Order on Use of E-voting Machines
February 1, 2010
Ruling Issued in Rutgers–Newark Law School’s Constitutional Litigation Clinic Challenge to NJ's Electronic Voting Machines

Get E-Mail Alerts




Important Links

  • VVBlog: Check out the latest news and commentary at our blog.
  • Election Day Problems?
    Call 1-866-OUR-VOTE
  • Find Your Polling Place: Vote411.org
  • Questions? Contact Us
  • Vote Trust USA - national resource for state-based organizations supporting verifiable elections, a Verified Voting Foundation project


  • "The core of our American democracy is the right to vote. Implicit in that right is the notion that that vote be private, that vote be secure, and that vote be counted as it was intended when it was cast by the voter. And I think what we're encountering is a pivotal moment in our democracy where all of that is being called into question." (more here)

    Kevin Shelley, former
    California Sec. of State





    Verified Voting Foundation, Inc., is a 501(c)(3) nonprofit corporation.

    © Copyright 2008, Verified Voting Foundation, Inc. All rights reserved, although reprint permission granted for nonprofit purposes with attribution to Verified Voting Foundation, Inc.


    Privacy    Site Map