What do you think when a company starts changing its name every couple of years? Does it make you feel that the company can be trusted or do you wonder if it’s the old shell game? Which name is the company under now? DOMINION is also known as Premier (aka Diebold). In 2007, Diebold decided to change their name to Premier Election Systems¹ for strategic reasons possibly related to the exposure of their lack of security by two states and a computer professor. In 2009, Premier was acquired by Election Systems and Software (ES & S). Due to antitrust lawsuits filed by the Department of Justice and 14 states, Election Systems and Software had to divest. In 2010, DOMINION acquired assets of Premier Election Systems including intellectual property, software, firmware, and hardware for Premier’s current and legacy optical scan, central scan, and touch screen voting systems. Also, all versions of the GEMS election management system from ES&S were acquired by Dominion. GEMS was found to have security problems by an independent software analyst.
Let’s take a look at some of the history of voting machines. In 2003, the source code for Diebold (aka Dominion) AccuVote voting machines was available on the internet. Avi Rubin, a Professor of Computer Science at Johns Hopkins University, was asked to look at the source code. Professor Rubin found Diebold source code to be far below even the most minimal security standards². Avi Rubin and his team published a paper describing the incredible flaws in Diebold. They found that one voter could cast multiple ballots without leaving a trace. A voter could perform administrator functions and even terminate the election early. Poll workers, janitors, or software developers with access to the voting machines before the election could pose various threats to the election tally. When the voting machines communicated with the County Registrar Office there was no security in place. The data wasn’t encrypted and there was no way to determine that the data sent was the same as the data received. A Man In the Middle (MIM) could easily access and alter the data. Cryptography has been used for hundreds of years to make sure that data is protected. For some reason, despite hundreds of years of protocol, Diebold voting machines had no such protection in place. Software developers should have used methods to prevent a change in the code. Instead, arbitrary patches of code could be inserted at any time.
Avi Rubin’s team found buffer overflow which could result in malicious code written in or data changed. Not only that but the code C++ was well known to have problems with buffer overflow -yet that was the language chosen for the voting machines. Buffer overflows had caused problems in elections before but that didn’t seem to concern Diebold. Could it have been deliberate? Professor Rubin states that the comments written by the software developers suggest that they were aware of system flaws and ignored them.
Is Dominion computer code accurate? There is only one way to know for sure. Rush in, seize the code and examine it. A vendor might protest that an independent testing authority such as Wyle Labs has certified that their voting machines have met FEC guidelines. The opportunities to change the machine code after certification are unlimited.
After Avi Rubin’s team published their results, Maryland and Ohio hired independent firms to analyze Diebold. They verified everything that Rubin documented and found even more problems. They found that despite the flaws that Rubin had found in the source code, there were no corrections made and that the new machines just purchased, still had the same appalling vulnerabilities. In addition, there were security problems with the back-end GEMS server. A voter could be tricked into voting for the wrong candidates by secretly changing the ticket from Republican to Democrat in a primary. In addition, a poll worker could modify the configuration of the system. This change in configuration could result in a miscount of votes. An in-depth explanation of these vulnerabilities can be found in Professor Avi Rubin’s report, “Analysis of an Electronic Voting System” published on February 27, 2004. It is available on the Internet.
Well, 2004 was 14 years ago. Things probably have been fixed right? How would we know? The source code is proprietary. Our County Registrar doesn’t even know because they can’t look at the code either. Only vendor DOMINION can look at the code.
Each county uses their own versions of the Dominion machines. The Secretary of State, Alex Padilla, has a website list of which machines each county uses. Most counties use different versions of DOMINION machines. If you see the names DIEBOLD, PREMIER Election Solutions, SEQUOIA, Premier ACCUVOTE, and ES& S, these are all owned by DOMINION and use PROPRIETARY software.
¹Retrieved from Wikipedia, Premier Election Solutions. On March 5, 2019
²Rubin, Avi, (2004, February 27). Analysis of an Electronic Voting System. This paper, copyright the IEEE, appears in IEEE Symposium on Security and Privacy 2004. IEEE Computer Society Press, May 2004. This paper previously appeared as Johns Hopkins University Information Security Institute Technical Report TR-2003-19, July 23, 2003 Retrieved March 5, 2019