A recently published study documenting a host of security flaws in a leading touch-screen voting system has caused elections officials across the United States to question the use of electronic voting machines.
Exclusive to American Free Press
By Christopher Bollyn
A published report from a team of computer experts exposing a wide range of security flaws in a leading touch screen voting system has sent "shock waves across the country" and caused elections officials to question the use of electronic voting machines.
"The story is only beginning," Douglas W. Jones, associate professor of computer science at the University of Iowa, told American Free Press . Jones is key to understanding the security flaws a team of computer experts from Johns Hopkins and Rice University found when they examined the "source code," the software that runs the Diebold AccuVote-TS voting system.
Aviel D. Rubin, associate professor of computer science and technical director of the Information Security Institute (ISI) at Johns Hopkins, led the study. The group's 24-page report, Analysis of an Electronic Voting System , was published July 23.
Diebold voting machines are used in 37 states. Nearly one in five Americans votes on touch-screen voting machines.
Although voting machines were not on the agenda for the National Association of Secretaries of State (NASS), the release of the Hopkins report prior to their late July conference in Portland, Me., forced a change. The conference discussed whether the National Institute of Standards and Technology should be asked to establish new standards for computerized voting machines.
"There is a sense that in the past [critics of computer voting machines] were part of the black box crowd and conspiracy theorists," Kay Albowicz, a representative for NASS said. "No one is saying that now."
Albowicz could only have been referring to the numerous stories about computer voting fraud carried in The Spotlight , a newspaper shut down by the federal government in 2001.
"The Johns Hopkins study is the first piece of evidence that current touch-screen technology could be seriously flawed," the Internet-based Wired News (WN) reported.
"As the computer scientists at Johns Hopkins recently reported, these new machines are vulnerable to massive fraud," Rep. Rush Holt (D-N.J.) said. "Unless Congress acts to pass legislation that would make sure that all computer voting machines have a paper record that voters can verify when they cast their ballots, voters and election officials will have no way of knowing whether the computers are counting votes properly."
Holt has introduced a bill, H.R. 2239, which would require computerized voting machines to provide voter-verified audit trails, something first advocated by The Spotlight .
Computer scientists have said for years that voting machines should provide a voter-verifiable paper trail to prevent vote fraud. "In the absence of any significant audit trails, you have no knowledge whatsoever as to what goes on inside the systems," Peter Neumann of Stanford Research Institute said in 2002.
The ISI researchers examined code from Diebold Elections Systems Inc. voting machines and found serious flaws. Thousands of computer files, including program files, were discovered on an unprotected company file transfer protocol (ftp) site on the Internet. Diebold "field representatives used the site to fix the company's voting machines," WN reported.
"They claim they keep everything secure, but this shows the lax nature of their [Diebold] procedures," said Rebecca Mercuri, a computer science professor at Bryn Mawr College. "This just blatantly flies in the face of good security."
Diebold spokesman John Kristoff said it was "an oversight" that source code had been available to the public over the Internet.
Computer experts say the ftp files indicate that security flaws exist also in Diebold's optical scan machines.
Experts discovered an oddly named folder on the ftp site named "rob-georgia." This folder contained program "patch" files, which instruct the computerized voting system to replace the existing program with another. Georgia, which experienced a historic Republican upset, was the first state to exclusively use Diebold touch-screen machines in November 2002.
Rubin had published an earlier paper speculating on different ways an electronic voting machine could be compromised. "Looking at the actual code," he said, "it appears a lot worse than I predicted." Among the "stunning flaws" found in the Diebold voting system was that it left ballot choices and election results open to tampering, even from a remote location.
States have taken the attitude that assumes electronic voting systems are secure until proven otherwise, Rubin said. "People will use it unless someone can show it's insecure," he said. "I don't know if that's the right model we should be taking for elections."
"Within the first half-hour of analysis, we found some immediate red flags," Yoshi Kohno, one of the ISI researchers, said. "The more we examined it, the more we concluded this thing [AccuVote-TS] should not be used in elections."
"You can't take something that's that broken and turn it into something secure," Rubin said. "I am against electronic voting because I think voting is too important and computers are too difficult to secure.
"I don't think anybody has the capability to develop a whole new system from scratch in a year," Rubin said, "and I don't think Diebold had any incentive to do so, because none of this news broke until recently.
"We looked at the software, and it was poorly written," he said. "[For example,] all machines had the same password hardwired into the code. Computer Security 101 would tell you that's the first thing not to do.
"We have claimed that, in the Diebold code we examined, 'cryptography, when used at all, is used incorrectly,' " said Rubin.
Diebold has some 50,000 machines counting votes in California, Georgia, Kansas and some in Maryland counties, including Prince Georges and Montgomery. Maryland purchased more than 5,000 Diebold touch-screen machines for $17 million in March 2002.
Howard A. Denis, a Montgomery County council member, was "so shaken by the Hopkins report that he is considering asking for a waiver to stop using electronic machines," The Washington Post reported. " 'The more I look into this, the more serious I think it is,' " said Denis.
"I don't want to have this thing whitewashed and have a lot of happy talk, and have people trying to mollify us and blow off these charges," Denis told the Post . "The integrity of our democracy is really at stake here.
"The electronic machines were forced down our throats by the state," he said. "We were used as guinea pigs for this, and on top of it we had to pay for it."
The critical Hopkins report has caused a number of states to back away from purchasing any kind of electronic voting machine system. "The rush to buy equipment this year or next year just doesn't make sense to us anymore," said Cory Fong, North Dakota's deputy secretary of state.
HELP STEAL AMERICANS' VOTES
The Help America Vote Act, passed in November 2002, provided $3.9 billion to replace older voting machines with what have now been shown to be insecure electronic voting systems. The federal act created "a gold rush" for the companies that make and operate electronic voting machines because it requires all states and the District of Columbia to replace antiquated voting equipment by 2006.
"Of the $1.5 billion appropriated so far to replace old machines . . . about half has been released," the Post reported. "And that has all gone toward buying electronic machines, which cost as much as $4,000 apiece."
Jones, as an Iowa state elections official, examined the flawed computer code five years earlier and pointed out the security problems to the system's developers and to government officials. "They promised it would be fixed," he said. "The Hopkins group found clear evidence that it wasn't. Yet for five years, I had been under the impression that it was fixed."
Jones said he was shocked to discover the flaws had not been corrected.
"There are more shenanigans. The hole had not been patched," Jones told AFP. "They can use the excuse of incompetence, but there are hints of deliberation . . . The Diebold machine should be decertified. Incompetence alone should be justification for de-certification. They were told and they didn't fix it."
Jones told AFP that he first examined the Global Election Management System, or "GEMS" software in November 1997. Global was acquired by Diebold in 2001.
A three-man panel from the Virginia State Board of Elections was asked to certify an upgrade to the state's Diebold voting machines.
"An outside consultant," who remained unnamed in The Washington Post , "assured the three-member panel recently that the [Hopkins] report was nonsense."
'A LEAP OF FAITH'
"I hope you're right," Chairman Michael G. Brown said, taking "a leap of faith" and approving the upgrade. "Because when they get ready to hang the three of us in effigy, you won't be here."
"Unfortunately, he's wrong. The report is generally valid," said David L. Dill, computer scientist at Stanford University and member of the California Secretary of State's Ad Hoc Touch Screen Task Force. "It's been obvious that [electronic voting machines] can be hacked, and Aviel [Rubin] shows that they can be hacked. They've blown up all the arguments that the present machines are OK.
"If the Virginia State Board of elections were really worried about being burned in effigy, it would have been prudent to seek a broader range of advice," he said.
Dill identified the unnamed consultant as Brit Williams, the Georgia-based voting machine technologist at Kennesaw State University, who was instrumental in bringing the Diebold touch-screen voting to Georgia. Williams was a consultant to the Federal Election Commission during the development of the FEC Voting System Standards in 1990 and 2002. He also chairs the National Association of State Election Directors (NASED) Voting Systems Board Technical Committee and consults for several states, including Virginia.
Iowa professor Jones told AFP that Williams is "heavily invested in the process" of introducing touch-screen voting systems across the United States. Williams was "installed" in a key position at the Institute of Electrical and Electronic Engineers, Inc., which has been "setting standards for many years," from which he advised the FEC on electronic voting systems, Jones said.
"Williams believes that he can detect malicious code in voting machines by testing them," Dill said. "I think he's on the defensive because he was so involved in the deployment of Diebold's machines in Georgia."
Georgia is perhaps "hardest hit by the growing Diebold scandal," said Bev Harris, author of Black Box Voting: Ballot-Tampering in the 21st Century . On election night 2002, 67 memory cards with thousands of votes went missing in Fulton County, Harris reports. The loss of memory cards is comparable to lost ballot boxes.
Right before the election in Georgia, an unexamined program "patch" was hastily installed on the 22,000 Diebold voting machines across the state. A patch inserts a "program fix" into the existing code.
One of the folders found on the Diebold ftp site was one named "rob-georgia." This folder contained patch files that instructed the computer to replace the existing GEMS program with another. AFP has confirmed that the Diebold code used in Georgia was not inspected prior to the 2002 election.
"Putting patches on 22,000 voting machines without looking at the underlying code has put the Georgia election results in doubt," Harris wrote. "Source code files clearly show that Windows source code was modified."
"Georgia law requires that any time software is updated, it must be re-certified, but the patches were never examined by testing labs," Harris said. In Georgia, "no one bothered to see what the patch did."
Harris asked Williams about the lack of security in applying the unexamined code patch just before the election in Georgia. "That's a real good question," Williams said. "Like I say, we were in the heat of the election. Some of the things we did, we probably compromised security a little bit."
Williams did not examinee the Diebold code or the patch: "We don't look at the source code, that's the federal certification labs that do that," he told Harris.
Harris said the flawed code examined by Rubin's team was used during the November 2002 election in Georgia, Maryland, California and Kansas. The insecure software may have been used in "as many as 13 states and 197 counties," she said.
"If a programmer employed by an election machine manufacturer introduces malicious code into the system that can change votes, even the most competent local election officials will not be able to stop it or detect it," Dill said.
Most computer crimes are "committed by insiders--not because insiders are more dishonest, but because it is easier for them to commit the crimes and, sometimes, escape detection," Dill said.
Maryland Gov. Robert L. Ehrlich Jr. (R) has asked Science Applications International Corp. (SAIC) of San Diego, which has an existing $2.6 million contract with the state to analyze software, to review the security of the Diebold system. If security flaws are found, then Maryland's $55.6 million contract with Ohio-based Diebold for 11,000 machines may be canceled. The SAIC evaluation should be ready in early September.
"I think SAIC has competent people," Rubin said. "But if SAIC passes the software, then I'll be very suspicious," he said. "I obviously don't think this thing is going to pass the tests."
SAIC is working with Diversified Dynamics of Glen Allen, Va., in the development of a voting system known as the System 5 DVRS.
The Post article identified the three "major players" in the U.S. electronic voting-machine industry: Diebold, Election Systems and Software (ES&S) and Sequoia Voting Systems, which it incorrectly described as "Oakland, Calif.-based."
"It is a British-owned company," Sequoia Vice President Kathryn Ferguson told AFP. Sequoia operates 40,000 direct recording electronic voting machines in the United States, Ferguson said.
Dill leads a coalition that has declared computerized voting machines to be "inherently subject to programming error, equipment malfunction and malicious tampering." More than 900 computer professionals signed the coalition's on-line resolution, posted at verifiedvoting.org. The coalition calls for touch-screen machines to print a voter verified paper ballot that can be checked in case of problems.
Illinois has drafted a law requiring a voter verifiable paper trail, but there remains a catch. The law would require that a "permanent paper record shall either be self-contained within the voting device or shall be deposited by the voter into a secure ballot box." This record "shall be available as an official record for any recount, redundant count, or verification."
There is, however, a significant difference between these two options. The first option of ballots "self-contained within the voting device" does not allow the voter to inspect and verify the accuracy of his ballot; the second does.
The legal threshold in Illinois for obtaining a "recount" is far beyond the reach of third party and challenging candidates, making any "recount" unlikely.
A Palm Desert, Calif., woman, Susan Marie Weber, is suing the state over the use of unverifiable voting machines. "They're not allowing us to verify our votes," Weber said in WN.
Weber's suit charges Bill Jones, California's former secretary of state, and election officials in Riverside County of depriving citizens of their constitutional rights by deploying touch-screen voting systems made by Sequoia Voting Systems that do not provide a paper record. Weber says the Sequoia machines are more vulnerable to fraud than traditional voting methods.
HAND-COUNTED VOTING BEST
Hand-counted paper ballots were found to be the best and most accurate way of voting, according to the Voting Technology Project conducted by political scientists at Caltech and Massachusetts Institute of Technology (MIT).
The Voting Technology Project compared the reliability of voting systems used nationwide from 1988 to 2000 and came to a remarkable conclusion: "The most stunning thing in our work was that hand-counted paper ballots were better than anything else," project director Stephen Ansolabehere said.
This happens to be the exact conclusion reached four years ago by The Spotlight newspaper after its seminal investigation.
The Caltech/ MIT report found that as many as six million ballots were not counted in 2000. Of 800 lever machines tested, 200 had broken meters that stopped counting once they hit 999, but touch-screen machines were even worse.
The evaluation of voting systems found that touch-screen voting systems performed worse than the mechanical lever machines, optically scanned paper ballots and hand-counted paper ballots during the 2000 election. Only punch-card machines performed worse than touch-screen systems, which raises the obvious question: Do we need expensive electronic voting machines at all?