Ed Brayton is a journalist, commentator and speaker. He is the co-founder and president of 
This is a fairly old op-ed piece, from June 2007, but it speaks volumes about the GOP allegations of voter fraud. It was written by Rick Hasen, an election law expert at Loyola University in California, about the dissolution of the American Center for Voting Rights, a Republican front group that for years claimed that voter fraud was rampant. When study after study found no evidence of this, the group disbanded in 2006.
Let me first make some notes about Hasen. Like Gerry Hebert, he is not a political partisan nor is he connected to either campaign. He's been known to slam the Democrats as well as the Republicans. I interviewed him briefly for an article on the lawsuit in Michigan over the GOP using foreclosure lists to challenge voters, which he has bluntly argued is not a winning case and was filed by the Democrats for publicity purposes.
Nonetheless, he debunks the constant claims from Republicans that voter fraud is a serious problem in this country:
One part of the attack, at the heart of the Justice Department scandals, involved getting U.S. attorneys in battleground states to vigorously prosecute cases of voter fraud. After exhaustive effort, Justice discovered virtually no polling-place voter fraud, and its efforts to fire U.S. attorneys who did not push the voter-fraud line enough has backfired.But the second prong of this attack may have proven more successful. This involved using the American Center for Voting Rights to give "think tank" cachet to the unproven idea that voter fraud is a major problem. The center's work was used to support the passage of onerous voter-identification laws that depress turnout among the poor, minorities and the elderly - groups more likely to vote Democratic....
The American Center for Voting Rights argued extensively by anecdote, such as someone, somewhere registering Mary Poppins to vote. Anecdote would then be coupled with statistics showing problems with voter rolls not being purged of voters who had died or moved, leaving open the potential for fraudulent voting. Given this great potential for mischief - yet without actual evidence - allegedly reasonable initiatives such as purging voter rolls and requiring ID seemed the natural solution.
At least in hindsight, the center's line of argument is easily deconstructed. First, arguing by anecdote is dangerous business. A new report by Lorraine Minnite of Barnard College looks at these anecdotes and shows them to be, for the most part, wholly spurious. Sure, one can find a rare case of someone voting in two jurisdictions, but nothing extensive or systematic has been unearthed or documented.
He also points out that serious voter fraud isn't even theoretically tenable:
But perhaps most importantly, the idea of massive polling-place fraud (through the use of inflated voter rolls) is inherently incredible. Suppose I want to swing the Missouri election for my preferred presidential candidate. I would have to figure out who the fake, dead or missing people on the registration rolls are, then pay a lot of other individuals to go to the polling place and claim to be that person, without any return guarantee - thanks to the secret ballot - that any of them will cast a vote for my preferred candidate.Those who do show up at the polls run the risk of being detected and charged with a felony. And for what - $10? Polling-place fraud, in short, makes no sense.
The Justice Department devoted unprecedented resources to ferreting out fraud over five years and appears to have found not a single prosecutable case across the country. Of the many experts consulted, the only dissenter from that position was a representative of the now-evaporated American Center for Voting Rights.
The arguments against vote fraud were built on a house of cards, a house that is collapsing as quickly as the U.S. attorney investigation moves forward.
And as the DOJ Inspector General's report recently showed, at least one U.S. Attorney was fired specifically because he would not bring voter fraud charges against ACORN under enormous pressure from Karl Rove and the Republican powers that be.
Politics
Comments
This particular difficulty of throwing an election remains in place as long as we don't do stupid things like putting in proprietary touch-screens systems with no paper trail otherwise he is right on the money.
Posted by: yoshi | October 16, 2008 10:58 AM
Yoshi is right -- I want to see oversight on the paperless touch-screen systems (that seem - if memory serves - to have been given out on contract to companies during a Republican-controlled congress).
[sarcasm] Ooooohh! You heard me, I'm calling out a counter-conspiracy based on the fact that Republicans controlled Congress during that time. [/sarcasm]
Seriously, though, does anyone know what sort of oversight there is on these automated systems? What about being able to track individual votes? This is an area in which I am quite unfamiliar.
Posted by: Umlud | October 16, 2008 1:26 PM
Oversight? On modern computerized voting machines?
Ahahahahahahahahahahahaha.
Posted by: Anonymous | October 16, 2008 1:36 PM
Umlud,
Two ways of approaching this:
First, I don't go in for the conspiracy theorizing on the issue because I don't think it could be carried out in secret. To write the code, check it, install it, etc., requires a large number of people. So first we would have to assume that the heads of Diebold (who were Republican contributors) are willing to commit outright fraud to help their favored party win. But second, we'd have to assume that everyone involved in the process of developing that code was in on it. I'd eat my own shoes if there were no Democrats working at Diebold who are in a position to know what went into those machines, and would be in a position to blow the whistle.
But the second way to look at it is to assume there's no purposeful fraud, but that there is a glitch, a bug that didn't get caught or that develops (we've all experienced software that after a while started working funny, right?). Without a paper trail, how could we catch it, and how could we correct it for a particular election?
A few years ago I read about one state that was looking into this, and hit on the bright idea of hiring as a consultant a guy who worked for the Nevada Gaming Commission, testing slot machines (new slots must be approved by the Commission before going into the Casinos). There was probably nobody who had a better background for analyzing this than him, and after looking at different machines, his conclusion was simple and clear: Get machines that have paper trails.
Posted by: James Hanley | October 16, 2008 1:50 PM
Posted by: Taz | October 16, 2008 2:09 PM
does it? how many, working for how many independent organizations, with how much transparency to the public?
how much programming experience do the independent code reviewers have? how is it verified that the code installed on the actual, deployed, machine matches the code sent in for official code review? when and by whom is this verification done?
for reference: as a professional programmer, i would estimate that one senior developer could probably write the code for a voting machine system in one or two years, at most, if working unaided. possibly considerably less, depending on just how good a designer and coder this person was. with the assistance of two to five junior developers, documentation writers, testers, &c., this could likely be cut to between three and six months.
independent code review would need a crew of comparable size and experience, and would take somewhere between a few weeks and several months, depending on the quality of the code and documentation produced. (who's paying for this, again? out of which budget?)
then you need to create a way by which election workers, usually not experienced in programming or perhaps any kind of IT at all, can independently verify that the code running on the machines delivered to them matches a set of code they never saw --- the code the independent reviewers saw --- preferrably without needing to use any of that code in order to perform the verification. some sort of checksum or cryptographic signature system, one presumes. what method is currently used to do this?
Posted by: Nomen Nescio | October 16, 2008 2:41 PM
Nomen,
Good input. I would set the election workers outside the scenario--there's no way a bunch of grandmas who volunteer to work on election day can be expected to be part of the checking.
As to the other parts, I would assume that in any large business--and Diebold is a large business--there are enough people who either have their hands in the pie, or who are aware enough to notice that for some reason this one particular important slice of our business doesn't have many hands in the pie, that questions would be raised. The reason conspiracies fail is that it's too damn hard to keep secrets.
Are you an independent programmer, or do you work for a large firm? I'm guessing that in a large firm, wouldn't programmers be curious as to who's working on what and talk about it "around the water cooler"? And since all Diebold programmers presumably know about this part of the company's business, wouldn't they notice and get suspicious if nobody knew who worked on that program? And since at least some programmers are left-leaning, isn't it likely someone would at least blow the whistle that something suspicious is going on?
That is, I'm not assuming necessarily (although I may have phrased it poorly before) that progammer X is suddenly going to say, "Hey, I was just looking at this code and it's designed to steal elections," as much as I am assuming that the way a business would have to run that part of their operation to keep anyone from noticing the illicit code would cause suspicion.
Posted by: James Hanley | October 16, 2008 3:43 PM
James, i work for a small company. i've got my grubby mitts on the corporation's entire billing database, and the custom code that enters data into it, pretty much unsupervised; quite a lot of responsibility. nor do i think that kind of scenario is uncommon in corporate America. more common in smaller offices, of course, but still.
i don't know how large Diebold's programming department is. however, it's not at all unreasonable to speculate their voting machine team may be half a dozen people or less, on the actual coding side at least. that number of programmers should be sufficient for the task, at least if they're decently experienced, unless there are some legal or business reasons to structure the organization otherwise. they could have more people than that doing testing alone, if they have legal requirements to do unusually extensive testing, for instance. i do not know if that is the case.
the voting machines actually used at the polling places need to be verified somehow, by somebody. otherwise you'd leave a huge, obvious security hole in the production and distribution chain for the actual hardware. if the polling place workers can't do this verification, then the machines need to be verified elsewhere and then kept under strict control up until they're delivered to the polling places. is that being done?
(and what about software updates to the machines? ideally, no such should be performed, or even necessary. if they are, each update needs to go through the same vetting process before being installed anywhere.)
malicious code can be hidden from all but very careful search, provided it's being inserted by someone sufficiently skilled and motivated. to a large extent the ease of concealing backdoors from code review depends on how well documented and how clearly structured the source code is --- the same source code that's usually considered a trade secret and never allowed to be inspected by outsiders. (that last obviously can't be allowed to be the case with voting machines.)
the worst case scenario is a Thompson toolchain hack. that's fortunately quite unlikely in a voting machine scenario, but the technique does demonstrate just how hard it can be to find intentionally inserted, skillfully hidden malicious code. for a journeyman programmer like myself, a Thompson-style hack would be quite undetectable; you'd need a master of the art to be actively looking for it.
clearly, code review of truly security-critical code needs to be performed by very experienced programmers. nor should it be done by any one single person; you need a code review team, where at least most of the members are of at least middling skill, and led by a very experienced person. such a team will not come cheaply, needless to say.
...it's interesting to note that the vast majority of the security concerns would, not disappear entirely, but be significantly less urgent and influential, if only the voting machines all left verifiable paper trails... then at least the outcome of an election would not be irretrievably tainted even if there was something fishy in the code.
Posted by: Nomen Nescio | October 16, 2008 4:18 PM
Diebold in-house employees did not write much of the code for the e-voting machines, but rather outside consultants were brought in. These consultants included 5 convicted felons. Their code counted 50% of the votes in 30 states in 2004.
The Senior Vice-President and Senior Programmer at Global Election Systems (GES) now called Diebold Election Systems, Jeff Dean, was convicted of 23 counts of felony theft for planting back doors in software he created for ATM. Court documents indicate Jeff Dean used a "high degree of sophistication" to evade detection. GES employed other convicted felons in senior positions, including a fraudulent securities trader and a drug trafficker.
Diebold has been criticized for it's culture of corrution from the top down. In December 2005, Diebold's CEO Wally O'Dell left the company following reports that the company was facing securities fraud litigation surrounding charges of insider trading
http://portland.indymedia.org/en/2004/10/301469.shtml
http://www.wired.com/news/evote/0,2645,61640,00.html
Posted by: Abby Normal | October 16, 2008 4:20 PM
Taz, that suggestion opens the possibility of verifiable vote purchasing. if voter X can verify, after the election and away from the polling place, that their vote (which they know to be number such-and-so) was registered for candidate Y, then so can a vote buyer.
Posted by: Nomen Nescio | October 16, 2008 4:25 PM
The paper trail is vital. Hugh Thompson, an application security consultant and adjunct computer science professor at the Florida Institute of Technology, demonstrated that all it takes to hack the current machines, once you get inside the secure cabinet, is Notepad and 6 lines of code.
The key to the lock that secures the computer cabinet is the same for all machines. Diebold until recently had a picture of the key on their web site. They've taken it down now. But all it takes is a quick Google search to find it. Princeton students were able to create a master key from that picture, capable of opening any Diebold voting machine. http://www.bradblog.com/?p=4066
Hacking the Diebold machines is trivially simple and without a paper trail, undetectable.
Posted by: Abby Normal | October 16, 2008 4:49 PM
Great responses to my questions by both Nomen and Abby. Disheartning, but very enlightening.
Posted by: James Hanley | October 16, 2008 4:49 PM
An excellent blog, written by computer scientists, including several security specialists, that frequently deals with the voting machine issue is Freedom to Tinker.
Posted by: Bill Poser | October 16, 2008 5:13 PM
I don't think the point of wide-scale voter-fraud's impossibility in the modern environment can be overstated. Voter fraud really is a relic of that time when, in certain states, county judges possessed almost total control over the polls from start to finish, and populations quiescent enough or politically marginalized enough to have their votes monetized on a large scale, and not care.
Posted by: Julian | October 16, 2008 11:37 PM
NSA regularly oversees the development, design, engineering, integration, testing, production and delivery of high-grade cryptographic devices by commercial industry. They know how to conduct the appropriate threat-vulnerability assessments and are proof that the US government has the policy, methodology, processes and infrastructure to assure the development of trusted computing devices. The development of a trusted voting machine is entirely possible. However, the more trusted you want it, the more costly it becomes for the manufacturer and therefore the downstream buyer. I don't buy the arguments that it is technologically impossible or that it will be corrupted by dark political forces. The technical bureaucrats who do this type of oversight work are good at it, take pride in it and work far enough down the organizational food chain to not bother with political motives. They are required to maintain high security clearances specifically to guard against corruption. The only question is how much money do you want to spend to impose rigorous oversight.
Posted by: Ex-drone | October 17, 2008 7:24 AM