With the spotlight on voting machines after the fiasco in Florida in 2000, terms like chads and electronic voting have become household words. As we close in on the November elections, however, the jury is still out on a new generation of voting technologies.
As the November election looms closer, it's pretty safe to say that this presidential election promises to be just as dramatic - if not more problematic - as the 2000 contest. In a post-9/11 nation, government security officials warn almost daily of possible Al-Qaeda terrorist attacks on or near the election. Such ominous allegations have almost silenced what was proving to be one of the hottest stories of Election 2004 - the security and competence of the direct recording electronic voting systems (DREs).
For the past year tales of lost votes and easily hacked voting systems burned their way across the mainstream media, onto the Internet in blogs and chat rooms. Nonprofit groups sprung up practically overnight to "watchdog" the DREs and the vendors that made them. The issue got so heated that on July 13, 2004, citizens in 19 states took to the steps of their state capitals demanding a voter-verified paper trail as a backup in case the computers failed.
The matter of using secure and reliable DREs in elections isn't a small one. After the Florida 2000 election, DREs exploded onto the national landscape. According to Roy G. Saltman, only 10 percent of voters used them. Today, the Brennan Center for Justice predicts approximately 30 percent of registered voters in nearly half the states are expected to use a DRE to cast their ballot.
What are the problems of the DREs and what made them so popular? What can be done to safeguard the November 2004 election? There are various solutions but perhaps the participation of the average American voter may be the best line of defense.
PROBLEMS VS. POPULARITY
In the United States, voters usually cast their ballots on one of five systems: paper, lever machines, punch card machines, optical scanners, or DREs. Out of the five, there is no perfect election system - each is prone to votes lost or recorded incorrectly due to error or manipulation. In his work on examining lever machines during the late 1970s, Roy G. Saltman of National Bureau of Standards, found at least a third of the machines didn't record votes properly. The punch card debacle of the Florida 2000 presidential election added the word "chad" to the American vocabulary.
A litmus test for voting systems is the residual vote rate, also known as spoiled ballots, due to over-votes where more than one candidate for the same office was marked on the ballot or under-votes where no candidate was selected. Voting systems tend to lean toward one or the other. The Florida 2000 election showed how easily one can over-vote with punch cards - which is impossible with lever machines and DREs. However because the levers may stick thus not turn properly, under-voting may occur with lever machines.
When DREs work, they work extremely well. Their speed and accuracy in vote tabulation, the ability to program and quickly select the ballot in multiple languages, a lower residual rate than most other systems coupled with their computer audio capabilities where blind voters can hear their ballots - thus allowing them to cast a secret ballot - makes them attractive to election officials.
Historically with the residual vote rate in elections, according to a report written by the Caltech/MIT Voting Project's 2001 report "Residual Votes Attributable to Technology," DREs did poorly in 1988, 1992, and 1996. Oddly enough as punch cards struggled, 2000 "was the banner year for electronics" which "offers a glimmer of promise for this technology."
HAVA TO THE RESCUE
DRE popularity soared after the 2000 elections. Some people cite their push came from the Help America Vote Act of 2002 (HAVA). The Florida 2000 election provided Congress with a wake up call to the voting problems in America: the residual vote rate of punch card voting systems, no clear method of having a recount, problems with voter registration lists, and how to handle military and oversees ballots. Congress passed HAVA to deal with each of these issues. It also provided funding - $3.9 million over five years. For example, one set of funds allowed states the money to clean up their registration rolls by having a state-centralized voter registration database. Another set provided states with dollars to replace their punch card and lever machines. This buyout came with a stiff deadline - the machines had to be replaced by the 2004 election. Congress would extend the deadline to 2006 if the state gave good cause.
Brian Whitener of the Elections Assistance Commission (EAC), an agency formed by HAVA from a small office within the Federal Election Commission (FEC) to oversee federal elections, said this buyout was optional. No state had to replace their current voting systems as long as they met the new federal voting system standards. These standards include private ballot verification and alteration before casting the vote, notifying the voter of an over vote, provide proper voter education on how to use the system, provide multi-lingual ballots, and be fully accessible to the disabled - especially the blind or visually impaired. Whitener stressed this last requirement as the major requirement. "Nowhere in HAVA does it say that you must buy a DRE," Whitener said, adamantly. Yet HAVA reads that the voting system shall satisfy the disabilities requirement "through the use of at least one direct recording electronic voting system or other voting system equipped for individuals with disabilities at each polling place."
For Steven Ansolabehere, a political science professor and former Director of the Caltech/MIT Voting Project, these words written into HAVA were a smoking gun. "The local official felt if he had to have one of them [DRE], why not get them all and deal only with one vendor," he said. "That's how it's been interpreted by the local election official and the language made the push for all DREs."
But Ansolabehere said he doesn't know how much of HAVA could be blamed for pushing states to purchase DREs. He pointed out that Maryland and Georgia - two states which centralized their voting system by going entirely DRE purchased from a single vendor, Diebold Elections Systems - made their decisions well before HAVA was passed. Either knowingly or not, the real push for DREs may have come from the American Civil Liberties Union representing various civil rights and labor groups. From January 2001 through September 2002, the organization waged war against punch card machines by filing lawsuits in the states that used them. These included counties in California, Florida, Georgia, Maryland, Illinois, and Ohio. The suits cited punch card machines as violating the due process and equal protection clause of the Fourteenth Amendment. "It was something that was filed before we switched to electronic voting," Kara Hodgson of the Georgia Secretary of State Press Office said, "Because we did the switch to electronic voting, versus the punch card and the other voting methods we had in Georgia, that actually never occurred." Georgia's suit was dismissed in Federal court.
SERIOUS FLAWS
Despite their place in the sun during the 2000 election, DREs have a major drawback - they are computers. "Like any computer they run software," Rice University Computer Science Professor Dan Wallach said. "Like any software it could have bugs. Could those bugs impact an election - maybe, maybe not?" Even more startling - and mentioned fully during Congressional testimony leading up to HAVA - is that the DRE software has serious security flaws in relation to how it handles the recording and transmission of voting data. These flaws hit crises proportions when one in the programming code of Diebold Elections Systems' AccuVote-TS became public.
In January 2003, Bev Harris, a publicist from Renton, Washington with a keen interest in electronic voting, came across what she suspected was archived programming code in a FTP folder located on an unprotected Internet site which referenced Global Election Systems - a Vancouver-based voting systems manufacturer purchased by Diebold in 2002. She downloaded the files to CDs. According to the John Hopkins Magazine article, "E-lective Alarm," the next month Harris contacted Scoop, a New Zealand muckraking Web site, trying to find out if the files she had were actually source code. As per the article, after several people identified it as code, "Scoop linked to the data files, word spread that for the first time, voting-machine code was available for scrutiny."
There, the article continued, David Dill, a computer scientist at Stanford University and a known critic of DREs, found the code and contacted John Hopkins Computer Science Professor Avi Rubin. Rubin joined forces with graduate students Adam Stubblefield and Tadayoshi Kohno plus Dan Wallach, who had a background in computer security. Wallach said he too downloaded the Diebold code from New Zealand. On July 23, 2003 the quartet published "Analysis of an Electronic Voting System" - better known as the Hopkins Report.
"The gist of our results is that we found [the] Diebold source code is not suitable for use in any election," Wallach said. "We found a wide variety of security flaws." One flaw noted in the report is the easy replication of voting cards. How the AccuVote-TS works is after a person signs in to vote, a voter card is given. The person then places the voter card into the terminal and proceeds to cast their ballot. After a vote has been recorded, the terminal then marks the voter card as used. The voter then returns this used card to the poll worker which is stored away. This way, when the DRE prints its totals at the end of the election, the number of votes should match the number of voter cards.
The Hopkins team found that these voting cards could be easily replicated, thus multiple votes could be cast or the votes could be sold. They also found that in addition to the voter cards, there were also administer and ender cards, which could also be easily configured. The administrator card gives special access to the terminals while both cards could end an election. Thus, a malicious voter could temporarily shut down an election, "thus deterring a large amount of potential voters from voting."
ONE KEY FITS ALL
| Knowing the GEMS server phone number, a hacker can take control of the server - modifying the election results - from anywhere in the world. |
What was Jones' reaction when he heard the Hopkins team found this "bug" nearly six years later, in what wassupposed to be a new system? "I was really upset. I was furious that they had ignored a serious report of a bug that I had mentioned in Congressional testimony and mentioned before the Federal Election Commission as an illustration of the weakness in the status quo," Jones said. "There was nothing secretive about this bug. I was furious it was still there as I felt this was a bug that I thought was evidence of amateurish development. That's not good." Jones felt the flaw was not intentional - only the sign of incomplete development to rush a product onto the market to gain market share.
A weak chuckle through a breathless sigh - like someone just kicked the wind out of her - was the reaction of Director of Election Management Division for the Maryland State Board of Election, Donna Duncan when this reporter asked her reaction to the Diebold "bug" after her state penned over $55 million for the systems. Maryland took decisive action by contracting two independent consulting firms: the Science Applications International Corporation (SAIC) working for the governor's office in August 2003 and RABA Technologies on behalf of the state legislature in January 2004. Both confirmed the flaws found in the Hopkins Report and suggested courses of action for Maryland to take in securing its systems.
SECURITY FLAWS COULD DISRUPT ELECTION
RABA's findings revealed even more security flaws than the Hopkins Report, reporting the system "contains considerable security risks that can cause moderate to severe disruption in an election." The "red team" discovered serious vulnerabilities on the servers located at both the local Board of Elections and the state Board of Elections. Diebold's Global Election Management System (GEMS) server software overlays on top of a Microsoft Windows operating system. The servers lacked the Microsoft security updates to it. One such update protected against use of the software product, Canvas, in modem transmission. The report reads, "By successfully directing Canvas at the GEMS modem interface, the team was able to remotely upload, download and execute files with full system administrator privileges." Knowing the GEMS server's phone number, an attacker can take total control of the server - uploading malicious software or modifying the election results - from anywhere in the world.
What is particularly troubling about the findings is that DREs, like some lever machines, produce printouts at the end of the election - not during. The actual ballot is the electronic image on the screen, not a conventional paper one. If something goes wrong inside an individual voting terminal either from a malicious attack or a simple software bug, resulting in lost votes - there is no way to go back and have a recount. "Between the time you touch the screen and the time a durable record of that vote is stored, the record of that vote is held in the sole custody of one piece of software inside the machine," Jones said. "The problem is, there is a gap between what the user entered and the creation of this durable record. The paper trail works around that gap."
The findings by Hopkins, SAIC and RABA surprised Duncan. She said Wyle Laboratories, the independent testing facility which certified the AccuVote-TS against the FEC/NASED voting system standards, gave the machine a high recommendation. Jones agreed. "Wyle Labs came back on this voting system saying this was the best voting system software they ever examined," he said. "And it came back saying that they were particularly impressed with its security." He added that the report from Wyle Labs was "immediate evidence of the incompetence" toward the standards voting machines are tested against.
He may be right. By January 2004, Diebold wasn't alone in the security flaw department. Reports conducted by Ohio, who was looking to purchase DREs, found a total of 57 security flaws among systems manufactured by Diebold, Elections Systems & Software (ES&S), Hart InterCivic, and Sequoia Voting Systems.
To understand the standards DREs are tested against - as well as how they made their way into our election precincts - one has to examine breakdown of the elections system and the role the voting vendors play within it.
RESPONSIBILITY FALLS TO LOCAL GOVERNMENTS
"What has happened historically with this issue is the federal government gave it to the states and the states gave it to local governments." Ansolabehere said. "And it sat there. Your town and county administer your elections." As election administration breaks down, so does the financial burden. Primarily counties pay for all elections as the federal government never paid a dime. Ansolabehere said some states do pay or do some of the cost sharing - but the burden falls on the local officials. "The problem is that [voting] is the lowest level of county government. This isn't even the main function of county government. It's a forgotten issue," he said, "It's such a small amount of money that when the census of governments tabulates what local & state governments spend money on - this doesn't even make the list."
Technically, voting is controlled by the State Board of Elections which falls under the auspices of the Secretary of State - the state's chief election officer. Voting standards are set by the state - including which vendors are allowed to sell within it. Very few states have state-centralized voting where purchases are mandated on the state level. Georgia and Maryland are two states that are centralized. The majority is broken down into jurisdictions either at a county, city, or town level.
In these states, because they run the elections, they also control the purchasing decisions for that jurisdiction. Voting vendors invested a great deal of time wooing them - in many cases years - forging powerful bonds. "Some people have been working with the Board of Elections for 30 years," Ohio State Senator Teresa Fedor said, "Boy they do have a close relationship with them [the vendors]." She realized these relationships involved a great deal of trust. "They have to - that's [the election official's] job. It would be terrible if they didn't."
The election official's job is a daunting one, especially with a major election such as November 2004 where voters will choose among federal, state, and local offices. "We have a jillion elections on one day with all these complicated ballots that are complicated by the number of political districts that over-lap and the number of languages that have to be supported," Ansolabehere said. He gave one example - that the registrar in Los Angeles County has to format about 5,000 ballots for a general election.
Part Two of "The Nightamre of E-Voting" next month will focus on the lack of funding for voting systems, the often cozy relationship between county election officials and voting machine vendors, the problem with federal voting standards, why paper trails should be mandatory for DREs, and how future elections can be safeguarded against possible fraud.
