The events surrounding the November 2000 presidential election added the term “hanging chad” to the popular vocabulary. Suddenly everyone had an opinion on obscure questions of election law. The one opinion that was nearly uniform was that the country must shift rapidly away from antiquated voting technologies, such as punch cards and lever-based voting machines, to modern systems.
That shift, which was already taking place to some extent, has accelerated substantially. According to a study by Election Data Services, a political consulting firm specializing in election administration, by the 2004 general election, well over half the registered voters in the country will cast their votes using either optical scan systems or so-called direct recording electronic systems similar to automated teller machines; fewer than twenty percent will still be using punch card systems. Of 572 counties that used punch cards in 2000, 265 will have changed to some other system by the 2004 election. The shift has been fueled in part by the passage of the Help America Vote Act of 2002, which provides for over $325 million in funds to assist counties using punch card and lever systems to convert to more modern methods.
As the shift has accelerated, however, significant concerns have arisen as to whether the new systems will meet their objectives, and whether they will introduce massive new opportunities for both accidental failure and intentional sabotage and manipulation.
Everyone seems to assume, as seems natural, that electronic voting machines will all but eliminate the problems of so-called “residual votes” (when a ballot is uncounted because it is unmarked or otherwise spoiled). Yet a 2001 study by the MIT/Caltech Voting Technology Project found that the residual vote for touch-screen voting machines during the last presidential election was 2.3 percent, only marginally lower than the 2.5 percent rate for punch-card systems. For the senate and gubernatorial races, the touch-screen machines actually had a higher residual vote than punch-card systems.
A more serious question is whether, in the rush to adoption, machines have been and are being put in place that are woefully insecure, subject to manipulation that could disenfranchise unprecedented numbers of voters. Recent studies have demonstrated deep and unsettling vulnerabilities in both the hardware and software designs of the Diebold AccuVote-TS System, one of the most widely used touch-screen voting systems, which has already been used in several statewide elections.
Computer scientists at Johns Hopkins and Rice universities obtained copies of the source code for the Diebold systems from an unprotected public web server operated by the company. Their analysis of that code found it to be amateurish in its design and implementation. For example, the passwords encoded onto smartcards used by election administrators to control the voting machines were fixed (every machine used the same access password) and written directly into the source code in plaintext form. Thus anyone with access to this source code file could use a standard commercial smartcard reader to create a control card.
Although Diebold claimed that the Hopkins researchers had found only very old, preliminary versions of the system software which had since been significantly reformed, most of the findings were later confirmed in an independent assessment commissioned by the state of Maryland, which had purchased the Diebold system. The consultants, RABA Technologies LLC, confirmed that the passwords discovered by the Hopkins researchers could still be used to take control of the machines. What is more, select RABA employees who had not read the Hopkins report managed to guess the passwords on the first attempt. In addition to the weak security in the software, the consultants outlined several flaws in the hardware design that could at best enable a malicious attacker to disable the machine (leading to long delays for voters), and at worst allow the attacker unrestricted access to the software and data stored within. For example, attackers could easily rip out wires, disconnect the touch screen, or jam the card reader, disabling the machines. Similarly, a keyboard secreted into the voting booth could be plugged into available ports to gain control. As with the software passwords, all the machines were physically accessed by identical keys, of which over 32,000 had been issued. In addition, the locks could be picked by the most basic techniques. Once inside, the intruder had unlimited access to the hardware to either disable it or install modifications that might subvert the vote.
While the Hopkins researchers focused on flaws in the design of the software in the actual voting machines, even more disturbing problems have been found in the GEMS software which runs on computers at county election headquarters to gather and tally the results. A journalist investigating whether Diebold was subverting the certification process for their system (for which there is significant evidence) was the first to report these flaws. Their existence was later confirmed in the RABA study.
The principal flaw is that the entire GEMS system stores its data in a form to be read by the Microsoft Access database system. The data are unencrypted, and programs external to the GEMS software can easily modify the data without a trace. The RABA team identified several hardware insecurities that would enable an intruder to install such malicious software undetected given as little as five minutes access to the system. In addition, while the system is not connected to the internet, it has a dial-up modem which is used to gather preliminary returns from the precincts on election night. RABA consultants determined that an attack could be mounted remotely using this method. Finally, RABA noted that the computers lacked over fifteen patches issued by Microsoft to address security issues in the underlying operating system.
The flaws in GEMS have more widespread impact than might at first be apparent. Because the GEMS central management system is used not just with Diebold’s touch-screen electronic voting machines, but also with their optical scan systems, precincts adopting the optical scan systems are exposed to all these insecurities as well.
The RABA team concluded with a number of recommendations detailing steps that would reduce vulnerabilities in the short term. With regards to the long-term security issues in the software, RABA essentially agreed with the Hopkins researchers, stating that “[a complete] code rewrite would be necessary to instantiate the level of best practice security necessary to eliminate the risks we have outlined.”
The severity of the security flaws has led some conspiracy theorists to assert that they must in fact have been intentional, designed to make it possible to launch attacks planned and sanctioned by the equipment’s manufacturers. These theories have gained many adherents. They have been further fueled by surprising Republican party victories in Georgia in 2002 (the first year in which the new systems were used), the fact that Republican Chuck Hagel, who won a landslide victory in his run for the senate seat from Nebraska in 2002, formerly ran the company that built the voting machines used in that state, and the unfortunate comment made by Diebold’s chief executive officer Walden O’Dell in a fund-raising letter that he would do whatever he could to “[help] Ohio deliver its electoral votes for the president this year.”
While few serious political analysts believe these theories, the problem is that there is no way to refute them. Because the electronic systems in use do not produce verifiable paper trail of the vote, a recount, in the traditional sense, is impossible. Many feel that this limitation goes to the heart of the issue, while also pointing the way to an obvious and comparatively easy solution to many of the problems: a voter-verifiable paper audit trail (VVPAT). In a system offering VVPAT, once a voter has voted on screen, the system would print a paper receipt with the details of the vote. The voter would confirm its correctness and deposit it in a box with the poll workers, much like a traditional optical scan, punch card, or paper ballot. These receipts could then be used in a recount in case the vote were called into question.
The core ideas of VVPAT have been around for some time. Most recently, though, they have been championed by David Dill, a computer scientist at Stanford University. In early 2003 he posted an online petition calling for a VVPAT requirement, and began gathering endorsements from computer scientists around the nation. The petition has since garnered the signatures of several thousand computer scientists and technologists, as well as other supporters. Dill, who is mentioned in nearly every article on electronic voting, is widely credited with having brought the issue into the spotlight.
While VVPAT is not a panacea, it addresses a significant number of issues, not least being voter trust in the system. Thus, for example, while the RABA report discusses how certain attacks, such as a voter manipulating the system to cast multiple votes, will not be addressed by VVPAT technology, it concludes that paper receipts should be added to the system, for the reasons cited.
The belief in the need for VVPAT is rapidly becoming the consensus view, and the political system is taking up the charge. In November 2003, Kevin Shelley, Secretary of State of California and in charge of elections in that state, issued an order that all electronic voting systems in the state purchased after July 2005 would be required to incorporate VVPAT technology, and by July 2006 all systems purchased prior to July 2005 would have to have been retrofitted with VVPAT. In addition, Representative Rush Holt of New Jersey introduced The Voter Confidence and Increased Accessibility Act of 2003 (H.R. 2239), which requires VVPAT on all equipment funded through the Help America Vote Act of 2002. With this trend, voters in years to come will hopefully be able to vote with confidence.
