FOREWARD: Introducing the User-Friendly, Error-Free, Tamper-Proof Voting Machine of the Future! (WARNING: Satisfaction not guaranteed if used before 2006.)
Broken Machine Politics
By Paul O'Donnell
On a cool afternoon last February, five politicians gathered in the heart of Silicon Valley for a meeting of the Santa Clara County Board of Supervisors. Their task: to replace the county's antiquated punch card voting system with $20 million worth of touchscreen computers.
Executives and lobbyists from three different voting-tech vendors were scheduled to present their wares, but the outcome was practically predetermined. Supervisors on the board's finance committee had already anointed a winner: Sequoia Voting Systems, based 35 miles north in Oakland. It was all over but the voting.
And then the computer scientists showed up: Peter Neumann, principal computer scientist at R&D firm SRI; Barbara Simons, past president of the Association for Computing Machinery; and Stanford computer science professor David Dill. They had been fidgeting in the front of the room through three hours of what Dill would later call "garbage."
Finally, they stood up and, one by one, made their case.
Voting, they explained, is too important to leave up to computers - at least, these types of computers. They're vulnerable to malfunction and mischief that could go undetected. Where they'd already been adopted, the devices - known in the industry as DREs, short for direct recording electronic - had experienced glitches that could have called into question entire elections. And they keep no paper record, no backup. "We said, 'Slow down. You've got a problem,'" recalls Neumann.
It felt odd - computer scientists inveighing against their own technology in the tone of geniuses lecturing undergraduates. They had been lobbying for months, and now "it was like they were making a last stand at Santa Clara," says one person who was at the meeting. The supervisors listened politely. "But the board didn't seem to see what it had to do with anything," says Liz Kniss, a supervisor who shared the concerns raised by the scientists.
In the end, Kniss and her colleagues voted 3 to 2 to award the contract. The last stand had failed - almost. At the final moment, the supes insisted that Sequoia be ready to produce DREs with a paper backup, should the county ever ask for them. It seemed like a sop to the geeks, but months later it would prove to be the smartest thing the board did that afternoon.
After Florida and the chaos of the 2000 presidential election, the nation's voting masters vowed: Never again. Never again would an election be jeopardized because the mechanics failed, and never again would parsing a winner be left to human discretion. Officials have scrambled to update voting equipment, creating a weird, three-pointed confluence of interests: civil servants, suits, and geeks.
Thanks to Florida, local governments find themselves sitting on piles of fix-it money - millions from city and county coffers and $3.9 billion from Congress, thanks to the Help America Vote Act of 2002.
The companies that make voting equipment are rushing to produce machines; at the same time, big players like Diebold, with almost $2 billion in revenue last year, are touting transparent, efficient, and chad-free elections. Meanwhile, some of the nation's elite computer experts and election watchdogs are hyperventilating. They see a fumbled opportunity - instead of using the tech to make democracy secure and accurate for the first time, we're building an electoral infrastructure with more holes than a punch card ballot. This future is getting hashed out not in Washington (the Feds don't run elections) but in the nooks and crannies of American politics, like that Silicon Valley board meeting. "Every year there are legislative proposals that make election administrators' eyes roll," says Warren Slocum, chief elections officer for San Mateo County, just south of San Francisco.
"The voting registrar's life has become wildly complex."
That's ironic, because electronic voting is supposed to make elections easier. The systems themselves are as simple to use as an ATM, and overvotes - one of the problems in Florida - are impossible. You can't select a second candidate without deselecting the first. The interface notes skipped races or ballot questions. With the addition of a simple numeric keypad and headphones, the visually impaired can vote independently.
Electoral officials get their own set of benefits. For example, some precincts in Southern California print ballots in Spanish, Vietnamese, Korean, and Tagalog, among other languages; registrars must guess how many of each to print before election day. And printed ballots often show candidates who have dropped out (such as Arianna Huffington in the California recall). By contrast, touchscreens can be quickly reprogrammed with new languages and ballot changes. When the polls close, an election worker inserts an "ender" card that tells the DRE it's time to aggregate the votes. The machine saves the tally in its internal memory and copies it to a flash memory card, which the worker removes and transports to a separate server. That's where the official count takes place - fast enough for TV networks to name a winner before the bars close.
Yet for all the ostensible advantages, digital voting's recent history plays like a Marx Brothers movie. In Southern California's Riverside County in 2000 - the state's first use of touchscreen DREs - a Sequoia server unaccountably froze, then began counting backward. In the central coast community of San Luis Obispo in 2002, a machine spontaneously began reporting totals with five hours left in the election. In Louisiana, humidity and overheating caused constant crashes. Last November, in Indiana, DREs reported more than 144,000 votes cast in Boone County, which has fewer than 19,000 registered voters.
With stories like these, it's not hard to suspect something sinister.
One of evoting's harshest, most vocal critics has been an online journalist named Bev Harris, a loquacious 52-year-old from the Seattle area with a keen nose for gossip. Her site blackboxvoting.org chronicles a litany of malfeasance and incompetence. Faulty equipment, miscounts, and tapping into vote-counting machines with cell phones are just the start. Harris rails against the right-wing Christian Ahmanson family's sponsorship of Election Systems & Software and the failure of US senator Chuck Hagel (R-Nebraska) to disclose financial ties to the company while its machines were being used to vote for him. And then there's the now-infamous smoking gun: a fundraising letter from Diebold's chief executive, Walden O'Dell, assuring fellow Ohio Republicans, "I am committed to helping Ohio deliver its electoral votes to the president next year."
Harris has particularly focused on Georgia in 2002, the first statewide elections using Diebold machines. There, a local IT worker claims he was hired to install state-certified software in new machines from Diebold but spent most of a sweaty election eve patching in fixes straight from the company. A Diebold spokesperson says the company has obeyed the election laws in every jurisdiction it serves.
In that same election, aides to secretary of state Cathy Cox worried that they would have no way of knowing whether any given machine at a poll had blown a fuse. So they distributed 8,000 night-lights to polling stations with instructions to plug the machines into the lights and plug the lights into the wall as an improvised tattle.
Lately, DRE critics have targeted the safety of the actual votes. When Stanford professor Dill put questions about cryptography to a Sequoia executive at a meeting of California's task force on evoting, the vendor said that they'd written the crypto themselves. "Do-it-yourself crypto is a bad idea," says Dill. A Sequoia spokesperson says the company uses "publicly tested and accepted" encryption standards.
All said, you don't have to be a conspiracy theorist to spin out a nightmare scenario. A well-orchestrated attack could change the outcome of an election for the entire country (see "5 Worst-Case Scenarios," opposite), and we might never know it happened.
Imagine the "Manchurian Programmer": a domestic political dirty tricks operation or, let's say, the People's Republic of China - technologically sophisticated, deep-pocketed, and with previous attempts at election trickery on its rap sheet - finds a programmer working for a vote-tech market leader and flips him to the cause. He instructs the machines to record a vote for one candidate as a vote for another. Normally, safeguards - so-called Logic-and-Accuracy tests would catch such a problem. But the Manchurian Programmer writes his code bomb to operate only between certain hours on election day. The tests miss the flaw. Just a few votes get swapped, but that's enough.
Paul Kocher, CEO of computer security firm Cryptography Research, says changing only half a percent of the votes cast could have given the House to the Democrats in the last election.
Americans have always hoped technology would solve electoral problems. In the late 1880s, New York and Massachusetts introduced newfangled paper ballots pioneered in Australia. Lever machines, which reduced the number of ballots spoiled by error and fraud, first came into use in 1892. And punch cards appeared in polls in the mid-1960s, when UC Berkeley political scientist Joseph Harris adapted IBM computer cards.
(Harris' prototype IGS Votomatic turned up in university storage in 2001; now the Smithsonian has it.) Westinghouse Learning's "mark sense" cards grew out of optical-scan technologies developed to grade the ACT college entrance exam.
Today, touchscreen machines are spreading faster than any previous voting technology. In the California recall election in October, 9 percent of voters made their selection directly on a computer. By the state presidential primary in March, it'll be 32 percent. "All counties will eventually utilize touchscreens," says John Groh, senior vice president at Election Systems & Software. "It will reduce their costs and give everyone access to the ballot."
It will also create a monster of a market. A midsize state typically needs 20,000 machines, at about $3,000 apiece, plus service contracts and upgrades. In May 2002, Georgia paid more than $50 million to go digital; Maryland signed a similarly sized deal. The manufacturers have been on their own buying spree. In 1997, ES & S started rolling up other companies, like Business Records, one of the original purveyors of optical-scan units. In 2002, De La Rue, a British provider of banknotes and other secure documents, paid $23 million for Sequoia, which then served 70 counties in 17 states.
Perhaps most fatefully, Diebold got into the game. A maker of safes and vaults before the Civil War, the Ohio-based company eventually expanded into alarms and other security systems. In the 1960s, it prototyped an automated teller machine; today Diebold makes two-thirds of the ATMs in the US. In 1999, the company bought a South American computer outfit named Procomp, which was awarded a contract to provide DREs for Brazil's presidential election. Two years later, in the biggest play so far, Diebold paid $26 million for Global Election Systems, with sales contracts in more than 850 North American jurisdictions.
Joe Torre is not your typical Maryland powerbroker, not the kind of legislative hack who has a sandwich named after him at Chick and Ruth's Delly - that's how they spell it - a couple of blocks from the state capitol in Annapolis. But Torre, a native with the appealing near-drawl indigenous to this near-Southern state, wields his own kind of influence. He's the voting equipment procurement officer, and last year he spent more money on election technology than anyone in US history.
See, in 1994, Maryland had its own mini-Florida. The Democratic governor, Parris Glendening, survived an ugly recount after edging out his opponent, Republican Ellen Sauerbrey, by just 5,993 votes.
Sauerbrey sued, the FBI got involved, and the state's voting equipment got part of the blame.
Torre and the election board's implementation officer, David Heller, entertained presentations from at least five companies, small and large. One of the vendors took hours to set up. Another one, says Heller, had a system that looked like it ran on vacuum tubes. But Diebold "seemed to have the most business sense." Torre liked it for a simpler reason: the familiar, ATM-like interface. In March 2002, the election board bought 5,000 Diebold machines for a pilot program in four counties. Last July, Maryland agreed to buy 11,000 more. Cost of creating a new infrastructure for elections: $55.6 million. Cost of not having the FBI oversee those elections: priceless.
Then, a few days after the contract with Diebold had been signed, the bits hit the fan. A computer security expert from Johns Hopkins named Aviel Rubin published a report eviscerating Diebold's tech.
How Rubin got involved is a bit of a tale. Six months earlier, just after the supervisors meeting in Silicon Valley, Bev Harris - the anti-DRE writer - was Googling Diebold. She stumbled on a company FTP site containing what looked like code for the AccuVote-TS, one of Diebold's touchscreen units. She announced on her Web site that she'd found the code, but she didn't know what she had. David Dill did. He passed along word of the Diebold code to Rubin.
Rubin is a leader in the field. He served on a National Science Foundation panel on computers and voting, and he helped the Costa Rican government study Internet-based elections. Plus, he gets jazzed about bulletproof code and rock-solid security the way some guys get jazzed about sports. He'd even asked Diebold for a machine to dissect (they said no). "Everything changed when we got to peek under the hood," he says.
Rubin called in two graduate students, Adam Stubblefield and Tadayoshi Kohno, and told them he had "a drop-everything project." Stubblefield had been Rubin's intern at AT&T; while there he had confirmed that Wi-Fi networks were hackable, identifying the encryption keys in just a week. (The Wi-Fi crypto standard is now being upgraded.) "I talk about 'Adam units,'" says Rubin. "He does in a day what others do in a month, and Yoshi is in the same league."
In a few days, Rubin, Stubblefield, and Kohno isolated the encryption keys that protect data on a Diebold machine. Then they moved on to larger, structural weaknesses. Rubin published an extensive report criticizing the devices. "They made mistakes I wouldn't expect an undergraduate in computer security to make," Rubin says. Programmer logs, previously hacked from Diebold's Web site, disparaged the code:
"This is a bit of a hack for now," one note reads. Other problems: The smartcards with which voters log in use unencrypted passwords (easy to fake - either to vote more than once or prematurely close out a DRE).
The machines are protected by the outdated Data Encryption Standard, crackable in 24 hours or less. Anyone who wanted to rig an election could bust open the data files - say, while transporting flash memory cards - and insert new vote tallies. And Diebold runs it all on Microsoft Windows CE, not exactly the Fort Knox of operating systems.
When Kohno presented their analysis to some 500 computer security experts at the Crypto 2003 conference in Santa Barbara last August, "we lost at least a minute of our five minutes up there to laughs," Rubin says.
The repercussions were immediate - and hardly what Rubin expected.
Diebold initially objected on technical grounds, saying Harris found outdated code. Then the company sent Rubin a letter warning him to shut up. In September, Diebold prevailed on Bev Harris' ISP to shut down one of her Web sites that linked to Diebold memos, and the manufacturer has since sent cease-and-desist letters to others who posted copies. Maryland officials maintain they are grateful that Rubin issued his report. As a result, they hired Science Applications International Corporation do an outside review of the Diebold machines. SAIC found many of the same flaws. Maryland got Diebold to close the most egregious gaps in security - the company made administrator passwords programmable instead of hardwired, improved the encryption on ballot results transmitted by modem, and gave officials the ability to alter encryption keys. Then Maryland let the contract with Diebold go forward.
Rubin doesn't seem to understand entirely why his report got everyone in Annapolis so upset. "We didn't do it the day before the election,"
he says. Stubblefield pipes in: "We expected they would fix it." Rubin admits that a perfect system is hard to imagine for a population as large as the US (his solution is an impracticable, multitiered design diagramed on his whiteboard). The real problem, he points out, is that the soul of computer security is authorizing specific people to do specific tasks, usually via password. But connecting specific voters to their selections is precisely what our secret ballot system forbids.
Standing before the Santa Clara Board of Supervisors back in February, David Dill pitched a solution. The only way to verify an electronic election, he said, is to keep a paper trail. In Florida, when the presidential vote went down the pipes, the state initiated a hand count of every ballot. Most DREs don't offer that choice. But if they printed a vote tally in addition to storing the 1s and 0s, a blackhat hacker couldn't really affect the outcome. "If there's a paper trail,"
Rubin says, "Osama bin Laden could write the code and it wouldn't matter."
In late November, California's secretary of state, Kevin Shelley, conceded the point. He announced that by 2006, all DREs must be equipped with paper. Other states are expected to follow. While a few small vendors of election technology say they're ready to comply, only one major player, ES&S, has produced a prototype that includes paper. It's a kludge, a voting device grafted to a 1920s-era pneumatic tube transport system. The box has a plastic pipe attached; the paper ballot pops out for verification, then whooshes into a lockbox when the voter approves.
Adding paper won't come cheap. Alfie Charles, a spokesperson for Sequoia and a press officer for California's previous secretary of state, says it'll tack on 15 percent to the cost of a $3,000 machine.
That's an extra $55 million to $65 million statewide.
So the computer scientists in Silicon Valley are vindicated. But whether DREs are trustworthy overall is still an open question.
California may have helped with that, too. In the October recall election, voters used a smorgasbord of devices: optical scan ballots, punch cards, and touchscreens.
Afterward, Rebecca Mercuri, a computer scientist and research fellow at Harvard's Kennedy School of Government, and a proponent of paper backups, ran the numbers. Of almost 8.4 million votes cast, 384,427 were not recorded for the recall question, either because of an error in the ballot technology or because the voter didn't register a choice (given the nature of the election, that's not likely). In the parlance of the field, that's a "residual rate" of about 4.6 percent.
Surprisingly, there was no correlation between residual votes and the type of voting technology. Some kinds of punch cards, to be outlawed in California by spring, "fared somewhat better, on average, than all of the optically scanned and touchscreen systems," Mercuri wrote in an email. And on the recall question, Diebold's AccuVote TS - the one Rubin cracked and attacked - lost the fewest votes of all.
Mercuri's ambivalent findings seem likely to disappear in a debate that, she says, is losing nuance. To people opposed to digital voting, "you've got two extremes," she says, "the doofuses who don't know how to vote, and those who are stealing votes in huge numbers." On the other side, vendors demonize the tech experts without responding to their ideas. And politicians, under pressure to ensure Florida never happens again, simply accept the solution offered by the traditional suppliers. By raising the specter of hacking, Rubin may have distracted attention from the problem of poor quality. Even David Allen, coauthor of Bev Harris' book, thinks the danger of hackers has been overemphasized. "Rigging elections is too hard, and the stakes are too high," he says of Diebold's misadventures in Georgia. "It's more likely that crappy software threw the election."
The dark secret of running elections is that the people in charge have never been able to rely on the security of voting machines, computerized or otherwise. Much of what they call electoral science is actually just safeguards that have grown up to prevent fraud, beginning with close observation of voters at the polls. DREs are supposed to improve on existing systems, but really they're just a way to keep up with newly revealed problems endemic to the existing system. "There are secure systems that can be run insecurely," says Torre, "and insecure systems that can be run securely." Either way, we're facing another presidential election in November.
5 Worst-case ScenariosBy Paul O'DonnellToday's digital voting machines don't keep a paper record of individual votes, so if something goes wrong, there's no backup for the data. And if history is a guide, something will go wrong. Officials have answers for every scenario, but some of their solutions are more convincing than others.
SCENARIO: A rogue programmer tweaks the code to swap votes from Democrat to Republican, or vice versa.
SAFEGUARD: Logic-and-Accuracy testing roots out any such code bombs. And in the actual program that counts votes, ballot positions are scrambled, making a switch hard to mastermind.
SCENARIO: A voter upgrades his access with a counterfeit version of the smartcard issued to every person as they vote. Result: He can vote multiple times.SAFEGUARD: The voting booths have no curtains; polling-place volunteers are trained to watch for suspicious behavior.
SCENARIO: A hacker changes the count on memory cards from individual machines or on the server used to tally the votes.
SAFEGUARD: The number of votes won't match the totals on hardwired memory in each DRE device - or the number of voters who signed the rolls.
SCENARIO: A power outage cuts electricity to the polls.
SAFEGUARD: Internal batteries provide juice in a blackout, and many polling places - schools, churches, and so on - have disaster preparedness kits that include generators.
SCENARIO: Someone walks out of a polling booth and announces he has gamed the machine and no one will ever figure out how.
SAFEGUARD: Polling-place staffers take the DRE offline and call tech support for a diagnostic. Meanwhile they look for obvious discrepancies, like more votes recorded than voter signatures on the rolls.
Paul O'Donnell is a producer at Beliefnet.
© 1993-99 The Conde Nast Publications Inc. All rights reserved.