Opinion Grave concerns over the security of electronic voting machines in the United States means the heart of American democracy is at risk, writes SecurityFocus columnist Scott Granneman.
My grandmother, Ruth Scott, was passionately interested in politics her entire life. She never missed an election (an attitude she instilled in her descendents), she followed political debates with great fervor, and, in perhaps her most selfless action, she worked for decades as an Election Judge on election day. These were long days for her, as she had to be there before the polls opened and stay until they closed and the votes had been counted. I'm sure she would have appreciated any tool that made her job easier and enabled her to get home sooner. It seems that such a tool may now be gaining traction all over America: the electronic voting machine. But is it really a good thing for our country and our electoral system?
After the 2000 election debacle in Florida (and actually in plenty of other locations around the U.S.), with its hanging chads and pregnant chads and other punch-card problems, Congress passed the Help America Vote Act in 2002. One of the functions of the new law was to provide
$4 billion for states to use in updating their often antiquated voting equipment. With federal money available, and the cautionary story of Florida as a warning, states began turning in droves to electronic voting machines.
Georgia uses voting machines made by Ohio-based Diebold Election Systems throughout the state.
Maryland signed a $55.6 million deal with Diebold in July to supply the state with 11,000 voting machines. Other states using machines made by Diebold include
Ohio, Texas, and California. Overall, there are
more than 55,000 Diebold machines in use around the country.
A Litany of Problems
An election held in Houston just a few days ago was marred when election judges
incorrectly set up twelve eSlate voting machines, resulting in a malfunction. The paper ballots that were supposed to be present were not, so judges gave voters pieces of paper torn in half and told them to write their votes down. Other voters simply left without casting their ballot. Some voters were told that they should come back later in the day, when the machines would be working, thereby casting their ballots twice.
The Oakland Tribune reported last week that several thousand voters in Alameda County used electronic voting machines made by Diebold that were
never certified for use by state and county voting officials. Diebold altered the software running on the machines prior to the election, but never bothered to submit the software for testing
or even notify the state that the software had been made.
Another election last week also displayed troubling irregularities. After Rita Thompson, a school board member who lost a close race in Fairfax County, Virginia, complained, tests were performed on a WINvote machine made by Advanced Voting Solutions of Texas. Lo and behold, one out of every hundred votes for Thompson
actually resulted in a subtracted vote for the candidate. But there's more. Ten machines broke down during the day, so they were brought to the county government center, repaired, and sent back to be used by voters ... with no oversight. But there's still more. At 7 p.m., most of the 223 precincts in the county attempted to report tallies. At the same time. The system, overworked, crashed. "Fiasco" is not a word I would disagree with in describing this situation.
In Georgia during the 2002 elections, some voters using Diebold machines tried to vote for one candidate, but
the machine would instead register a vote for the opponent. It got weirder in Georgia in 2002. There were six electoral upsets in that election, including one in which the incumbent senator, who was far ahead in the polls, lost by 11 points. Diebold had changed the software used by the voting machines seven or eight times, without anyone examining it, and then after the election the company
immediately overwrote the flash memory of all the cards used by those machines, so it is now impossible to know what the vote counts really were.
Also during the 2002 elections, machines made by Omaha-based Election Systems & Software
erroneously reported that no one in several large Florida precincts had voted for governor. These examples are
just the tip of the iceberg.
Problems abound. But it's actually much, much worse.
The Big Issue: Security
So, how do you know that the machine actually counted your vote? You don't! Oh sure, you may see a screen at the end of the process that shows you what you ed ... but how do you know that those choices are actually tabulated? The answer: trust the companies that make the machines. But that attitude, if it ever made sense, has been shown to be not just wrong but foolhardy in the past several months.
In March, someone broke into a Web server used by Diebold using an employee's ID number and
copied thousands of messages posted to an online discussion board used internally by Diebold employees to discuss its voting machines, as well as actual code used in the voting machines. In August, the documents were sent to journalists. Within one month, student
activists at Swarthmore College acquired the documents and began making them available on their Web site. Within a few days the documents had spread like kudzu and were available at over 50 other college Web sites, including MIT, Harvard, and UC-Berkeley.
One of the reasons the students are concerned about Diebold's involvement in the electoral process is
the company's cozy relationship with the Republican party. Diebold donated more than $195,000 to the Republican party in 2000 and 2001, and Walden W. O'Dell, the company's CEO, pledged in an invitation to a fund-raiser to
deliver Ohio to George W. Bush in the next election. Regardless of the political linkages, the content of the memos is extremely problematic, as you'll see in a moment.
Diebold responded in a heavy-handed manner by sending out cease and desist letters backed by the Digital Millenium Copyright Act (DMCA) of 1998, a
poorly-designed law that has
earned its
share of
opprobrium. These letters claim that those posting Diebold's files, or even just linking to the files, are in violation of Diebold's copyrights. Needless to say, these rather specious claims appear to
fly in the face of fair use and the public's right to know.
Swarthmore,
after an initial bout of cowardice, is now supporting its students. The College has asked Diebold to justify its claims, while aiding its students as they develop a legal response to Diebold's take-down notice. In fact, Swarthmore clearly states that "
it is defensible on fair-use and free-speech grounds to use [the students'] web sites to describe the content of the memos they have seen and their implication for American democracy, and to use their sites to inform interested members of the public that the memos are available at sites not associated with Swarthmore."
Unfortunately for Diebold (and fortunately for American democracy), the files are now on servers all over the world, including Australia, New Zealand, Canada, and Italy, where the DMCA does not apply. Even better,
Deibold's files are now on Freenet, the anonymous, encrypted peer-to-peer network, as well as
other peer-to-peer networks like BitTorrent and Overnet. Too late, Diebold. The toothpaste is out of the tube. Game over.
If you'd like to view the Diebold files yourself, a
simple Google search is all that you need. The files seem to portray a company lacking good practices in the area of software development, quality assurance, sales, and security, as the following excerpts make clear.
"Over [the past three years] I have become increasingly concerned about the apparent lack of concern over the practice of writing contracts to provide products and services which do not exist and then attempting to build these items on an unreasonable timetable with no written plan, little to no time for testing, and minimal resources. It also seems to be an accepted practice to exaggerate our progress and functionality to our customers and ourselves then make excuses at delivery time when these products and services do not meet expectations." (Source: "Resignation", announce.w3archive/200110/msg00001.html, dated 5 October 2001)
"It does not matter whether we get anything certified or not, if we can't even get the foundation of Global stable. This company is a mess! We should stop development on all new, and old products and concentrate on making them stable instead of showing vaporware. Selling a new account will only load more crap on an already over burdened entity. ... You are taxing the development team beyond what they can handle. ... Why is it so hard to get things right! I have never been at any other company that has been so miss managed [sic]." (Source: "Fw: Battery Status & Charging-and too much bull!!", announce.w3archive/200110/msg00002.html, dated 20 October 2001)
"I need some answers! Our department is being audited by the County. I have been waiting for someone to give me an explanation as to why Precinct 216 gave Al Gore a minus 16022 when it was uploaded. Will someone please explain this so that I have the information to give the auditor instead of standing here "looking dumb". I would appreciate an explanation on why the memory cards start giving check sum messages. We had this happen in several precincts ..." (Source: "Memory card checksum errors (was: 2000 November Election)", support.w3archive/200101/msg00061.html, dated 18 January 2001)
"For a demonstration [for El Paso County, Colorado] I suggest you fake it. Progam them both so they look the same, and then just do the upload fro [sic] the AV. That is what we did in the last AT/AV [AccuTouch/AccuVote] demo." (Source: "RE: El Paso, Colorado", support.w3archive/199903/msg00098.html, dated 19 March 1999)
"I hate more than anyone else in the company to bring up a certification issue with this, but a number of jurisdictions require a "system test" before every election. I just helped Knecht yesterday with an RFP from Riverside that required this. That is why the AccuVote displayes the silly ***System Test Passed*** message on boot up instead of "memory test passed", which is all it actually tests. No argument from me that it is pointless. You could probably get away with a batch file that prints "system test passed" for all I know. We will do something along those lines with the new unit after a memory test or whatever." (Source: "RE: AVTS - Diagnostics & Installation", support.w3archive/199907/msg00013.html, dated 6 July 1999)
"Right now you can open GEMS' .mdb file with MS-Access, and alter its contents. That includes the audit log. This isn't anything new. ... Now, where the perception comes in is that its right now very *easy* to change the contents. Double click the .mdb file. ... It is possible to put a secret password on the .mdb file to prevent Metamor [a consulting company] from opening it with Access. Being able to end-run the database has admittedly got people out of a bind though. Jane (I think it was Jane) did some fancy footwork on the .mdb file in Gaston recently. I know our dealers do it. King County is famous for it. That's why we've never put a password on the file before." (Source: "RE: alteration of Audit Log in Access", support.w3archive/200110/msg00122.html, dated 18 October 2001)
Think about those memos. In particular, the last one. Here we have a company using unprotected Microsoft Access database files to store votes and the audit log. That's bad. Really, really bad, in a whole host of ways. But even worse, after pondering a change, it decides not to implement a password! And what is meant by the "fancy footwork" that "King County is famous for"? That sounds shady as hell.
In July, Avi Rubin of Johns Hopkins University, along with other security experts, analyzed the purloined source code. His team issued
a scathing report. Some of his findings: it would be easy for an insider at Diebold to alter the system to affect voting results; since the source code is kept secret, this could be done without detection. It would be simple for a voter, without invoking any special privileges, and without any detection by the system, to cast as many votes as she desired. All the voting machines use the same hard-coded passwords; in some cases, this password was set to "1111" (I think that's the sound of the collective jaws of security pros ping to the floor). And finally, since there is no paper printout of votes, there is no way to accurately audit the system, and therefore no way to accurately reconstruct an election if it is contested. As the report put it:
"Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes."
Of course, Diebold denied the findings of Rubin's report. The state of Maryland, however, commissioned an investigation of the Diebold machines by SIAC. SIAC found
328 security weaknesses; of those, 26 were designated critical. Among the problems: Diebold doesn't encrypt vote totals before they are transferred to the Board of Elections over the Internet. Diebold's response is far from reassuring, as the
Washington Post reported:
So there you have it: the squeaky wheel gets the grease. Diebold will fix Maryland's machines, but everyone else in America will continue to suffer from hundreds of security holes, 26 of them critical. Feel better?
Of course, anyone that really cares about security knows that a system has to be built with security in mind from the get-go. You can't just bolt security on top of a system after the fact and assume that the any problems will be fixed. But that's exactly what Diebold proposes to do. They told us to trust them before, and now they're asking us to trust them again. How trusting are you?
Some Proposed Solutions
Rep. Rush Holt (D-N.J.) has proposed the
Voter Confidence and Increased Accessibility Act of 2003 (H.R. 2239). Holt's proposed law would mandate the following by the November 2004 general election:
- All voting systems must produce a voter-verified paper record which can be used during manual audits.
- Voting systems must use open software and may not use wireless communications devices; further, any electronic communication performed by the voting system may only be outgoing, and only then to report vote totals.
- Voting systems usable by people with disabilities must be in place by 1 January 2006.
- Surprise recounts must take place in .5% of domestic jurisdictions and .5% of overseas jurisdictions.
These are reasonable proposals that would go a long way toward helping alleviate the concerns that many people have about electronic voting. Unfortunately, Rep. Bob Ney, the chairman of the House committee that would propose Holt's bill,
opposes it, so it is essentially dead in the water. Coincidentally, or perhaps not, Ney is a Republican representing Ohio, the home state of Diebold. Hmmmm ...
Certain changes in election machines and election law are definitely required. After you vote on an electronic machine, it should print your choices on a piece of paper that is placed into a locked box. If a problem arises and a candidate requests a recount, those slips of paper are there for verification. Wired News reported in October that some of the companies who manufacture electronic voting machines have
finally agreed in principle to change their machines to produce a paper record of votes. We'll see if it actually comes to fruition.
The testing process should be opened up as well. Currently, all voting machines have to pass the Federal Election Commission's testing process so they can be certified for use. However, the General Accounting Office issued a report in 2001 stating that
the FEC tests do not test for security in a thorough manner; in fact, the testing is so secretive that members of state boards that certify the equipment cannot even get information about exactly what is being tested and how. Worse, the tests themselves are
laughable in their inattention to even basic concepts of security, reliability, or veracity. To top it all off, only 37 states follow the FEC standards in the first place.
To really ensure that the election process is fair and above the taint of corruption, federal law should require that the source code for the voting machines is opened up. If the code is not made entirely public, which would be best, then it should be opened up for expert study and review, with any findings published.
Australia's voting machines run completely open source code that has been publicly audited; even better, the machines themselves run on Linux, an open source operating system. Can anyone doubt that this is better for democracy?
Security pros also need to work to change the perceptions of public officials. Unfortunately, many of them are ignorant about security, some willfully so ("In response to the Hopkins report [by Avi Rubin], Linda H. Lamone, the state election administrator, said yesterday that Maryland's experience in the 2002 election gave her 'absolute confidence' in the Diebold touch-screen system"). Couple that with a back-against-the-wall defensiveness, and you get statements like this, made by Penelope Bonsall, director of the Office of Election Administration at the Federal Election Commission: "The computer scientists are saying, 'The machinery you vote on is inaccurate and could be threatened; therefore, don't go.
Your vote doesn't mean anything.'" No, Ms. Bonsall, that is most definitely
not what security experts are saying. But believing so does help solidify your refusal to look at their concerns, doesn't it?
I have to admit, when I first heard about electronic voting, it made a lot of sense to me. After the Florida debacle in 2000, it made even more sense. But after extensive reading, I've come to the conclusion that electronic voting as a concept needs to be scrapped, or at least placed on hold while basic concerns are addressed. Unfortunately, I'm not very convinced that those basic concerns will ever be addressed, and that has me greatly concerned about the trustworthiness of elections in the United States.
Just because it's new and slick and sexy doesn't mean that we should adopt it. This is doubly true when we're talking about our elections, the heart of the American democracy. We shouldn't make a fetish out of speed and automation, especially when we ignore fairness, accuracy, and security. I think my grandmother would have agreed.
Further Reading
Bev Harris has been leading the fight against electronic voting for quite a while. Her Web site, at
http://www.blackboxvoting.com or
http://www.blackboxvoting.org, is required reading if you're interested in this issue. You can also download her book,
Black Box Voting, from the site as well. Of course, if you buy her book, you further support her work.
Salon has published an excellent series of articles on the subject of electronic voting. You can find them by searching
http://www.salon.com for the words "electronic voting".
Wired News has also been following the story, and you can read what they've said by
searching the site for "electronic voting".
The Washington Post posts in-depth, well-researched columns regularly that deal with electonic voting. Search the archives for "electronic voting" or "Diebold".
For another technical analysis of the security problems associated with Diebold machines, Douglas W. Jones'
"The Diebold AccuVote TS Should be Decertified".
Scott Granneman is a senior consultant for Bryan Consulting Inc. in St. Louis. He specializes in Internet Services and developing Web applications for corporate, educational, and institutional clients.