Monday, November 10, 2008

Old and new in central Ohio

I spent most of this weekend in central Ohio, visiting my daughter. We spent Saturday roaming the roads of Amish country, a bit northeast of Columbus and southwest of Cleveland. Two items struck my fancy.

In Wooster, home of the College of Wooster, we had a nice breakfast and visited Freedlander's Department Store, which is going out of business. Freedlander's is the story of the growth of America's heartland. The store, which until now is the largest independently owned downtown department store in America, was opened in 1884 by a Polish Jewish immigrant who got his start peddling goods from farm to farm before opening his store in the thriving town of Wooster. The store grew over the next 75 years and generations of the founding family, slowly taking over neighboring buildings until it covered most of a downtown block, four stories high. In the 1970s things started declining, and today all that's left is a small fraction of what was there a few decades ago - probably largely done in by suburban stores like WalMart and cars which made it easier to travel to bigger cities & stores. A nice history of the store can be found here.

The lesson is that we should never assume things will be the same 20 years from now as they are today. The technology industry survives because it constantly reinvents itself, although some companies who have thrived have lost sight of the continuing changes. Wang Labs comes to mind - when I graduated from college in 1980 they were one of the highest of the high fliers, and were in the process of building a huge new campus. Now, almost no one has even heard of them.

The second item was also something of a recognition of continuing change, and how people learn to adapt. As is well known, Amish people eschew use of electricity and other modern conveniences. However, after teenagers finish 8th grade (the end of their formal education), both boys and girls are permitted to work in the "English" (secular) world. So I was amused when visiting a cheese store to see the girls, dressed in their traditional Amish clothing, chatting on the phone with their friends, and expertly running cash registers. The cashier I spoke to said she didn't get tired of cheese (which was rather overwhelming in the store), but rather the sheer number of people she had to deal with every day - quite a contrast to her serene farm life. The most amusing example I saw of this old-new contrast was at a flea market, where a young woman (again wearing traditional clothing) was intently staring at a computer screen used to set up a laser engraving machine!

I wonder how they feel about the contrast between old and new?

Sunday, November 09, 2008

Verifiable Voting legislative priorities for 2009

Now that the election is over, it's time for the Verifiable Voting Coalition of Virginia (VVCVa) to set our legislative options for 2009. Please post your thoughts as responses to this blog posting!

Below is a preliminary list of items that may be on the agenda:

  1. Non-partisan redistricting (guaranteed to be a good fight again this year)
  2. Explicitly permit independents to be poll workers
  3. No-excuse in person absentee voting (we keep trying) - maybe we should point out how many people voted absentee and how it contributed to a generally smooth election day
  4. Explicit instructions on breakdowns - when emergency paper ballots are required
  5. SBE authority to tell jurisdictions the minimum number of ballots they are required to have on hand.
  6. SBE to gain authority to tell jurisdictions the minimum number of poll workers they need - but that is both a funding and an ability to find workers issue, so much harder to make a rule.
  7. Improve the machine to voter ratio.
We're also hopeful that given the very close race in the Virginia 5th Congressional District (undecided at this writing), we'll see interest in fixing Virginia's audit and recount laws, which are among the most restrictive in the nation.

If there are specific issues that you would like to work on, also please let us know that. We always welcome help as we develop legislation and lobby legislators. We request your feedback before Friday Nov. 14 to be added in time to our coalition' discussion.

Thanks for all your work this year to write your legislators about your concerns.

Thursday, November 06, 2008

An interesting undecided race - Virginia's 5th Congressional

No, there's no massive undervotes or hanging chads or anything like that, but Virginia's 5th Congressional District, home to Charlottesville and the University of Virginia, is a cliffhanger: the Democratic challenger was ahead this morning by 31 votes out of 300,000 over the Republican incumbent - as of this writing the margin is about 600 votes. (Most recent info here .)

There's a couple of interesting things here:

(1) Problems with vote total uploads. The coverage (see below) indicates that there were problems uploading the unofficial results into VERIS, Virginia's statewide system for voter registration and election results. (This is the same system that appears to have been the cause of the long lines in Chesapeake.) The coverage indicates that right around midnight there was some sort of glitch and vote totals were scrambled and/or lost. As the reports are short on technical details, I'm not sure what really happened.

(2) The race is close enough that there's a good chance one of the candidates will ask for a recount (recounts aren't automatic in Virginia, but allowed when the margin is less than 0.5%). But Virginia law, as readers of this blog may remember, is extremely restrictive. For DREs, you look at the totals from the machines and re-add those. If the tape is illegible, you print a new one. For optical scan, you test the machine (the tests being undefined - it was the best I could do when we were amending the law) and then run the ballots through again and use the results from the total tape. Only with a judge's order can you manually inspect the ballots - but judges have refused since the law doesn't tell them when to allow inspection.

Not clear at this point what's going to happen next - will the purported loser challenge things?

Local coverage:

Wednesday, November 05, 2008

My first day as a pollworker

Like many Americans, I had a long day yesterday - I'm a pollworker in Fairfax County Virginia. I started my day at 415am (haven't gotten up that early in a while!) so I could be at my polling place by 500am to start setting up. (I'm jealous of Avi Rubin whose polling place didn't open until 700am, so he got to sleep later!) By the time I arrived, there were already 10 people in line - even though polls didn't open until 600am.

Virginia is a hodge-podge when it comes to voting equipment. Each city or county (they're different in Virginia) can choose their equipment from a list approved by the state - and they make many different choices. Fairfax County uses a hybrid system: Diebold optical scanners and AVS WinVote touchscreen DREs. The WinVote machines have been used for the past few years and voters are familiar with them; the optical scan is new this year thanks to a bill I helped write and pass a couple years ago.

Once we got the machines set up, the doors opened right on time. I heard (but didn't see) that by the time polls opened, the line went out the door of the school where our polling place was held, and down the street a couple hundred feet. What I know is that the line was non-stop from 600am until about 830am - after which we never had more than a handful of people in line for the rest of the day.

When voters came in, they went to one of two desks (A-L and M-Z) by last name (yes, some voters asked if it was by first or last name). This turned out to be our bottleneck - thanks to the optical scan machine and the privacy booths described below, we could have completely eliminated lines if we had been able to divide our pollbook into three or four groups, but Virginia law doesn't allow us to do that. Given what I've read in other places, I think I'm happy we didn't have electronic pollbooks.

In our training, the county election officials had told us we were to give voters the optical scan ballot in a folder with instructions on how to fill it out. If the voter explicitly asked for a DRE, we were to allow them to choose that, but we were not to offer that choice. Some of the pollworkers in my precinct, including the chief, seemed to disagree with that guidance and either suggested the DRE, or asked voters their preference. (Later on in the day the deputy chief noticed this aberration from the policy, and instructed everyone what to do. I heard from friends working in other polling places that they similarly had problems with giving instructions.)

Most voters were fine with the optical scan, and a few expressed a strong preference for it. Some expressed a strong preference for the DREs - mostly older voters, to my surprise. Why is that? Is it familiarity from the past few elections?

One of the frustrating parts about this "choice" was that we weren't allowed to tell voters why they should choose one or the other - we couldn't say "the DREs are inaccurate and unauditable" or "it saves money" anything like that. (In fact, during the training, the instructors didn't even know why the change was being made, other than the law told them to.) One of the great things about optical scan is that when the line gets long, you get more pens - unlike DREs, where when the line gets long, you're out of luck. But I couldn't say that either.

Back to the story, we had seven "privacy booths" (basically stand-up cardboard boxes where you can mark your ballot) and three "privacy desktops" (cardboard boxes that sit on a table) for use by voters while coloring their optical scan ovals. During the morning rush, and several other times during the day, we had all 10 of them in use, and sometimes the three DREs were in use also. To do that with all DREs would have taken at least a dozen, at a cost of $3000 each (vs. $5000 for a single optical scanner). So I figure we saved the taxpayers at least $30,000 in my precinct alone (that's before counting the cost of the optical scan ballots, but those are relatively cheap).

Virginia law says you can have no more than 750 registered voters per DRE (if you're using DREs). My precinct, which has just under 2000 registered voters, could therefore have had as few as three DREs, if we weren't using optical scan. If we had three DREs, instead of 10 cardboard boxes plus three DREs, the lines would have been hours long, and might well have lasted all day - the line which started at 600am might well have had voters waiting six hours or more.

By about 1100am, over 50% of registered voters had cast their ballots (including absentees). That meant the remaining 8 hours were slow - there just weren't that many voters left. There was no last minute rush with people running in to cast their ballot just before the doors closed at 700pm - in fact, our last voter came in about 5 minutes before closing. When we closed the polls, just over 80% of registered voters had cast ballots - consistent with the rest of the county.

Then came the long process of closing out the machines, packing everything up, accounting for every piece of paper, reconciling totals, etc. (There was one mistake which initially caused us to think we had one more votes than voters - until we discovered by careful review that in the pollbooks, someone had marked two different people as the 59th voter of the day. Mystery solved.) We didn’t finish until 930pm. Then I went home and watched election results.

For working from 500am to 930pm, I earned $100. (Plus I had to take training, which is unpaid.) Definitely not a way to get rich.

Some lessons learned and other notes:

When I went to pollworker training, I had to present an ID. But when I showed up to work as a pollworker, no one asked to see my ID. This is similar to the TSA "identity triangle" problem - the TSA matches your ID against your boarding pass, and the airline makes sure you have a valid boarding pass, but no one checks that the two are the same, which allows for subverting the system. If someone knew that I was a pollworker in my precinct, they could show up at 500am and claim to be me - and get access to things like the key that authorizes casting multiple votes on a machine. Of course, if the real person showed up, that would make things sticky - but in the meantime, it highlights a low-risk vulnerability in the system.

The most novel way to cast a ballot incorrectly was a voter who after marking his ballot, slipped it in between the base and side of the cardboard privacy booth (so it fell to the floor underneath the box). Luckily, I realized this as he started to walk out the door without scanning his ballot (I was standing at the scanner at that point helping voters), so I retrieved his ballot and got it scanned in.

At the close of the night, I noticed that the presidential breakdown was roughly 55%/45% for Obama on the optical scan machine vs. 50%/50% on the DRE. Friends in other precincts noticed similar discrepancies. Why is that? Are people who like DREs more likely to vote Republican? I don't think it's just coincidence, given the wide difference and the consistency across precincts.

Localities in Virginia that use DREs only learned the hard way that the lines just get too long, since you can't just go out and buy more when lots of voters show up. Perhaps instead of arguing against DREs on the basis of security or reliability, we should argue on the basis of line length - that's something everyone can understand!

And finally: several voters came up to me and other pollworkers during the day and thanked us for being there. While it didn't make me any less tired, it sure was nice to feel appreciated!

Monday, November 03, 2008

Push or pull for prescription security?

I recently had a reason to fill two prescriptions on the same day, one at a local pharmacy and the other through a mail-order pharmacy. In both cases, the same doctor was writing the prescriptions.

First, I tried calling the doctor to get copies of the prescriptions to bring to the store and mail off. No luck - he doesn't do that any more. (Maybe if I had an office visit he would, I don't know.) Instead, it's all done electronically - but the two were handled differently by the pharmacies.

For the mail-order pharmacy, I had to call them, give them the name and phone number of my doctor (which they looked up in some sort of registry), the names of the prescriptions, and my insurance and credit card number to pay. They then called the doctor, who approved the prescriptions by phone. For the local prescription, I called the doctor's office, gave them the phone number of the pharmacy which they called and ordered the prescription, which I then picked up and paid for.

So I wondered, is one of these more secure and/or private? I don't think there's a privacy difference - in both cases, my doctor (obviously) knows what prescriptions I'm taking, and so does the pharmacy. In the mail order case, presuming that they really checked the doctor's information I gave them against some sort of authorized prescribers list, then a patient can't get prescriptions without approval (unless I subvert the doctor's telephone system and redirect the approval calls). And in the local pharmacy case, while I could cause the doctor's office to call a fake pharmacy (since I provide them with the phone number), that would have no real value to me.

The most likely problem is if I could convince the mail order pharmacy that the doctor's phone number had changed, and their records were out of date, then I might be able to get prescriptions that aren't authorized. Presumably they have processes in place to prevent those types of attacks - and those processes are hopefully stronger for controlled drugs (e.g., narcotics) than for ordinary medications (e.g., antibiotics).

As a security engineer, I can't help but think about the security aspects of almost anything I see...