Penetrating The Voting Vortex
Google the terms “hiccup” or “glitch” along with the words “electronic voting equipment” and you’ll get some interesting insight into widespread chaos that could hit polling places this November. In primaries across the nation earlier this year, problems with newly implemented computer-based voting systems, often blamed on software “glitches” or election “hiccups,” caused voting results to be delayed, tallied incorrectly or reversed entirely.
“We need to ban the word glitch from election vocabulary. All a glitch is is something that disenfranchised voters,” voter-rights activist Bev Harris told The Indypendent. Harris is the founder of Black Box Voting (BlackBoxVoting.org), a website that has become an authoritative source on the failures of electronic voting equipment over the past few years. “[Voters] need to get the public records and they need to look a little deeper, and if they do in the days following the [2006] election… it’s going to fall apart like a cheap suit,” said Harris.
“When Black Box Voting has gotten the records in the past, typically the records do not support the results. They don’t match; they show all kinds of anomalies,” she said.
A bevy of recent problems in 2006 primaries support Harris’ concerns:
• In Pottawattamie County, Iowa, the June primary election results of nine races were reversed when a hand count of ballots tabulated by an ES & S manufactured optical scanner revealed that all the winners were, in fact, losers.
• 100,000 extra votes appeared on a HartIntercivic paperless Direct Recording Electronic (DRE) machine in a March primary race in Tarrant County, Texas, earlier this year – despite the fact that there were only 58,000 registered voters.
• Programming “glitches” caused results of the March primary in Cook County, Ill (which includes Chicago), to be delayed by up to a week, when the counties’ new Sequoia touch-screen DRE and optical scanner machines failed to transmit results from precincts in the area.
• After widespread reports of problems with Ohio’s electronic voting equipment in the 2004 election, the Election Science Institute completed a threemonth study following the March 2006 primary in Cuyahoga County, Ohio, (which includes Cleveland). The study found that Diebold touch-screen machines recorded four different vote totals, with totals on two separate paper records, the election archive and the memory cards all differing. The researchers concluded that using the electronic machines was a “calculated risk” and that “the election system, in its entirety, exhibits shortcomings with extremely serious consequences, especially in the event of a close election.”
Electronic voting machines were supposed to solve the problem of elections in this country. After the very public failure of punch cards and butterfly ballots in Florida’s 2000 presidential vote, Congress passed the Help America Vote Act (HAVA) in 2002, which allocated $3.9 billion to states to update and improve an apparently antiquated voting process while also improving access for disabled persons.
Instead, HAVA opened the door to nationwide adoption of untested and problematic electronic voting technology that has given unprecedented power to private industry to control the outcome of elections. The implementation of that new technology has also revealed fundamental failings in the current electoral system and an inability on the part of federal, state and local governments to ensure that democracy in this country functions as it should.
“There’s really not a new problem here…. We’re just seeing the problem because we’re looking. A lot of the problems are really entrenched, long-term problems,” said David Dill, Professor of Computer Science at Stanford University who founded Verified Voting (VerifiedVoting.org), a nonprofit organization that advocates reliable and publicly verifiable elections. “[As a nation] we don’t have an attitude about elections that those are precious things that need to be protected.”
A NEW AGE OF FRAUD
Nearly 90 percent of registered voters, or 150 million people, now live in counties that will use some form of electronic voting equipment in the upcoming election – a 63 percent increase in voters affected since the 2000 elections, when the majority of precincts used mechanized lever machines or punch-card ballots.
The electronic voting equipment that will be most widely used in the 2006 elections are optical scanning machines, that scan paper ballots filled out by voters and tally the count. These machines, while susceptible to many of the computer glitches and security concerns raised by critics, have one striking advantage over other types of voting equipment: a paper trail.
Thirty-nine percent of registered voters will cast ballots in counties using DRE devices, which look and function much like an ATM machine, while lacking one crucial feature. All ATMs are equipped with receipt printers and can be audited for mistakes by banks and customers. In states like Maryland, Georgia and Florida, some voters will be using completely paperless DREs in the upcoming election, which leave no record of the vote anywhere but inside a computer’s memory bank.
“Computer systems are so complex that it is impossible to check that the software or the hardware is correct or honest,” said Dill, who called paperless voting “silly.”
“Software is very complicated, it’s really hard to write a large program to get it right – it’s essentially impossible,” said Barbara Simons, a former IBM employee who served as president of the Association of Computing Machinery from 1998 to 2000 and now sits on the board of Verified Voting.
Not only are machines susceptible to bugs and malicious programming that can change votes, say critics, but it is next to impossible for anyone to check what is happening on the inside of the machines. “We have no way of auditing the system designs,” said Dill, whose research is in the field of checking the correctness of hardware and software running in computer systems. “It is impossible to check that the software or the hardware is correct or honest.”
The anonymous nature of the electoral process guarantees that no single voter will ever be able to go back and check if her or his vote was recorded correctly. For systems that rely on paperless technology, that means trusting the computers are tabulating votes correctly with no means of doublechecking. And while paperless mechanical lever machines (which are still in use in New York) raise difficult questions about the ability to verify votes, officials or poll workers with access to the machines would have to rig each machine individually, making widespread vote fraud much less likely.
However, a slew of recent studies have proven that electronic voting machines are capable of being hacked and manipulated internally by almost anyone with access to the machines including vendors, poll workers and voters themselves; while malicious code and viruses can affect thousands of machines, with no way of detecting or proving fraud.
“The threat that I’m most concerned about is undetectable, widespread, wholesale fraud – that’s the threat that keeps me up at night with these machines. Will you ever detect that undetectable fraud? By definition you won’t,” said John Hopkins computer scientist Avi Rubin at a recent signing of his new book, Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting.
“The question isn’t, has [voting fraud] occurred? We don’t know. And if it did occur, we wouldn’t know, because that’s the nature of the fraud we’re concerned about.”
THE DIRT ON DIEBOLD
In 1997, as an employee of AT&T Labs, Rubin worked on a project with the government of Costa Rica to design an electronic voting machine for that country.
“I started getting very nervous, started thinking like an adversary, as I’ve been trained to do as a security person, thinking about what you might be able to do to rig these machines if you wanted to,” he said. “We, the people that were building and designing that system, were in a position to do so in a way that we could control the outcome if we wanted to,” he said. “I had [initially] thought this was a good idea, and decided it was a pretty bad idea,” he said.
Rubin’s explorations of electronic voting technology would not end there. In 2003, he co-authored a report analyzing source code from a Diebold AccuVote-TS machine that Bev Harris had discovered on the internet. The code had come from an unsecured Diebold website and was the first look at the internal workings of an electronic voting system. Diebold, like all the elections systems companies at the time, had refused to allow outside analysis of its software, claiming that code was proprietary.
Rubin and three other scientists wrote a paper on the Diebold source code, known as The Hopkins Report, which revealed “significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater.”
“Personally, I now believe that if that code were written by the world’s best programmers and the best security experts, and didn’t have the problems that we found, they would still not be good machines to use. But that’s not the case, it was riddled with security problems,” said Rubin of the Diebold software he analyzed in 2003.
The Hopkins Report was just the first of several reports with devastating conclusions about the security of Diebold’s equipment. At the invitation of Utah and Florida election officials concerned about their own equipment, Harris employed Finnish computer scientist Harri Hursti to hack into Diebold optical scan and Accuvote-TS machines last year.
“We did it four different times, using eight different methods. And every time it took about 60 seconds. And the election supervisors knew that we were there and couldn’t stop the hack,” said Harris of the experiment. Hursti was able to hack into the AccuVote-TS machine after his analysis found a “back door” into the Diebold system that would allow anyone to upload malicious software into the computers as long as the program contained the correct file name.
Using the back door discovered by Hursti, a team of Princeton computer scientists released a report demonstrating how “an attacker who gets physical access to a machine or its removable memory for as little as one minute could install malicious code…” that could “steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates.”
“I think the security vulnerability that Harri Hursti found…is the most dramatic security problem that anyone has uncovered in these Diebold systems,” said Rubin. “When I read [the report], I sat back in my chair and said well, we can kiss Diebold good bye,” said Rubin. “[I thought] there is no way that when this is made public anyone will continue to use Diebold; I was wrong.”
Three hundred and sixty counties, covering as many as 16 million registered voters, will vote using the AccuVote-TS system this upcoming election.
TRADE SECRETS
The significant security flaws exposed by Rubin and others point to a lack of oversight on both the state and federal level to assure that voting equipment works properly and doesn’t, for example, steal votes.
“Certification that’s being done these days is a joke, it’s a farce, and it doesn’t count. It hasn’t caught these problems,” said Simons.
The federal government currently offers voluntary standards for voting equipment. While provisions in HAVA require that the National Association of State Election Directors develop standards for voting technology, the funding for developing these standards has yet to materialize. Instead, states are required to complete independent testing of equipment before the association can certify their machines for use. The tests themselves are conducted by the Independent Testing Authority (ITA), a consortium of federally accredited labs – Ciber, Wyle Labs, and Systest – that are paid by voting machine vendors and are hardly “independent”. The labs are required to test for certain criteria only. A machine that meets the standards laid out by the vendors but which was found to contain any number of security or design flaws could still be approved by the ITA.
Any problems uncovered by the ITA are considered proprietary information that cannot be shared with states or the public. In fact, election systems companies claim that any look at the inside of their machines violates “trade secrets.”
“There are no real trade secrets in these machines – what they do is not rocket science,” said Simons. “I think that they don’t want people seeing the code because there are lots of problems with it, because every time a computer scientist has gotten his or her hands on the software, they’ve found problems.”
THE PAPER PLACEBO
In response to the growing chorus of concerns raised about the paperless Direct Recording Electronic voting machines, 27 states now require a voter-verified paper trail, as opposed to only ten when HAVA was passed four years ago. Retrofitting DREs with printers should, in theory, provide a record of the voters’ intent, even if the computer records it incorrectly. However, in practice, the “paper trail” can be of little use. Not only is a lengthy manual recount made more difficult by printer rolls that do not facilitate straightforward tallying of votes, the supposedly “verified” record can be difficult to read for voters analyzing their results.
“The paper records can be untrustworthy because the printers don’t work right, some of the paper records are missing or illegible, or because voters don’t check them,” said Dill.
If a paper trail diverged greatly from an official vote count, there would still be no clear idea as to what the “real” tally of an election was. “Those need to be the votes of record and if the electronic records are more reliable than the paper records then you’re back where you started from, of having to trust this computer which is essentially totally untrustworthy.”
A paper record is meaningless if no one checks it. “Most states around the country that have a voter verified paper trail requirement don’t have corresponding rules that say what you actually have to do with it,” said Matt Zimmerman, an attorney for the Electronic Frontier Foundation, a digital rights organization. Zimmerman is the lead attorney in White v. Blackwell, a lawsuit that claims that Ohio’s entire election system is unconstitutional.
The Ohio lawsuit could have a national impact if it successfully challenges that state’s election process from its certification requirements all the way up to the way the state trains poll workers and election officials on how to use these systems.
STUCK WITH THE BILL
With so much money spent on elections systems that do not work or are not verifiable in any basic way, many states are now stuck with the cost of their mistakes. After California sued Diebold in 2004 for “overly aggressive marketing” of its TSx voting machine in which “not a single version of the TSx firmware has completed federal qualification testing for use in the November 2004 election,” the state eventually settled its suit with the company for $2.6 million and recertified the equipment for use in the 2006 elections.
The state of Maryland, which spent $106 million on Diebold paperless DREs, experienced widespread problems with the new equipment in the 2006 primary races. Touchscreen electronic poll books, used to check voters in and keep track of who voted and where, failed across the state. By attaching a mouse to the poll books, Diebold claims to have fixed the problem. The state’s Republican Governor Robert Ehrlich is now urging voters to vote via absentee ballot in order to avoid using the paperless DREs.
While absentee voting may increase, many voters will have to deal with machines that don’t work properly or the lingering suspicion that the machines don’t accurately record their votes. For Bev Harris, who began her voting activism after reading an article on the Internet, the only way to ensure free and fair elections is “for people to step away from the Internet” and become poll workers themselves. “They’re going to actually have to engage, become participants in democracy,” she said.
Still, if and when voters finally demand an overhaul of the current mess from their elected officials, a bigger question remains: What do you do with hundreds of millions of dollars of useless voting equipment?
“I recommended to them [state officials] that they give these thirty, forty thousand machines that they have to the schools, attach a mouse and a keyboard, they’re Windows machines, let the kids use them,” said Avi Rubin, who votes in Maryland. “Or give them to a country whose government we want to control.”