Holding the vote-counting machines accountable

By LISA GUERNSEY
New York Times News Service 24 September 2004

Computerized voting machines are attracting a lot of attention in this election year, but one system is being watched particularly closely: the AccuVote-TS.

The AccuVote-TS has been the subject of at least four studies over 14 months that expose security holes. This spring California's secretary of state, Kevin Shelley, blasted the manufacturer, Diebold Election Systems, for not following proper procedures in updating its software. Those problems and a battery defect that rendered some machines unusable for hours during the March primary prompted Mr. Shelley to order all counties using touch-screen machines to offer a paper alternative.

Still, the AccuVote-TS will be used by more voters than any other electronic system this fall. Precincts with more than 6 per cent of registered voters will use Diebold's system, according to the research company Election Data Services. It says that overall, 29 per cent of voters are registered in precincts where ballots will be cast electronically.

Nearly all voters in Maryland and Georgia will use AccuVote-TS, which is also the primary machine used in the California counties of Alameda and Plumas. (In New York, only one jurisdiction — Clifton Park, near Schenectady — will use touch-screen machines, and they are made by Sequoia Voting Systems, a Diebold competitor.)

Officials say that no matter what machines are used, hackers and malfunctions will be kept at bay.

"The voters can be assured that we've done everything humanly possible to make the voting equipment secure and safe for them to use," said Linda Lamone, administrator of Maryland's State Board of Elections.

What exactly is being done to build that confidence? Here is a look at some of the oft-cited risks related to the Diebold machine and how they are, or are not, being mitigated.

Connectivity

Worries about computerized voting machines being hacked over the Internet can be allayed off the bat, said David Bear, a Diebold spokesman. No AccuVote machines are connected to the Internet, nor are the servers that crunch the final numbers. At the end of election night, vote totals from each machine can be transmitted to a central office two ways: either by hand carrying the memory cards and printouts that come with each machine or over a modem connection to a private telephone line.

Yet security analysts say that someone could tap into the phone line, gain access to the totals and change them before they are reported. Roxanne Jekot, a computer programmer who maintains a protest website called countthevote.org, said many of the lines used for transmission were public school fax lines whose numbers could be easily obtained.

Several security reports last year urged Diebold to encrypt the transmission data so that it appeared as gibberish to anyone without a key. Maryland and the two counties in California will be using an d version of the AccuVote system that includes such encryption, according to officials. But in Georgia, the transmitted data is not encrypted because the state is using an older version of the system. Chris Riggall, a spokesman for Georgia's secretary of state, Cathy Cox, said that state officials decided that they could not screen the new system in time for the fall elections.

If transmitted data is tainted, election officials say they would be able to detect the problem as soon as the official numbers are tallied. In all three states using the AccuVote-TS, election procedures require officials to compare the totals obtained from the machines' memory cards and printouts to the totals that come across the modem. If the numbers do not match, the totals compiled before the phone-line transmission would most likely be used instead.

"A final result tally is never to be derived from a modem-ed result total," Mr. Riggall said.

Software testing

Still, David L. Dill, a computer scientist at Stanford University, says there is always the risk that a programmer on the inside could plant a piece of code that switches votes from one candidate to another before the data is even transmitted. Other experts also sound warnings about unintentional software glitches. For example, what if the software contains some obscure bug that subtracts a vote for a candidate every 100th ballot?

Diebold and election officials point to the multiple tests that machines undergo before the polls open. Evaluations are conducted by national, state and independent agencies. At the conclusion of these tests, the machines are sealed with tamperproof tape.

In the days before an election, each machine goes through a "logic and accuracy" test in which a vote is cast in every race to make sure the ballots are written correctly and the numbers add up. The machines are sealed again until election morning, when a printout is generated to show that no votes have yet been cast.

But "you can never find all the bugs," said Aviel D. Rubin, a computer scientist at Johns Hopkins University who was a co-author of the first report criticizing Diebold, in July 2003. "You can never get it perfect."

Smart Cards

When voters arrive at the polls, they receive a smart card containing an electronic chip to into the touch screen units and bring up the ballot for their specific precinct or district. The July 2003 report by Rubin and three other computer scientists said the Diebold cards could be hacked. They envisioned a scenario in which people could forge cards to vote multiple times.

Mr. Riggall said that poll workers are trained to compare the running vote totals with the number of people who have come to vote. He said they would be able to quickly detect whether someone has stuffed the ballot box.

What about other attempts at tampering? In a simulation last year, a team of experts with RABA Technologies, a security company in Columbia, Md., attempted to hack into the cards by guessing passwords. The team was able to gain access to the cards' contents after a few guesses and create a forged supervisor card. With such a card, a perpetrator could disable a touch-screen unit.

Diebold has since tightened its security. It has created a way for authorized poll workers to quickly change a card's pass code when and if necessary. Maryland and California will be using that system in November. But Georgia will not because it could not be tested on each of its 24,500 machines in time, Mr. Riggall said.

Meanwhile, reports of glitches on machines by Diebold and its competitors have spread through websites built by voters' rights activists and computer scientists. (Among them are verifiedvoting.org and blackboxvoting.org.) But vendors stress, and even e-voting critics agree, that shortcomings can affect any machine, electronic or otherwise. The mechanical lever or optical scanning machine can fail just as batteries do. Poll workers may be poorly trained. Voters can make mistakes.

Officials at sites using e-voting machines say they are prepared for those scenarios. They say they are training poll workers to handle malfunctions, just as they do to head off problems with optical scanners, levers and punch-card machines.

Critics say they can only hope that the problems will not be severe enough to require recounts, since paper ballots will not exist.