Wired 12.01: January 2004
Broken Machine Politics
Introducing the User-Friendly, Error-Free, Tamper-Proof Voting Machine of
(WARNING: Satisfaction not guaranteed if used before 2006.)
By Paul O'Donnell
On a cool afternoon last February, five politicians gathered in the heart
of Silicon Valley for a meeting of the Santa Clara County Board of
Supervisors. Their task: to replace the county's antiquated punch card
voting system with $20 million worth of touchscreen computers.
Executives and lobbyists from three different voting-tech vendors were
scheduled to present their wares, but the outcome was practically
predetermined. Supervisors on the board's finance committee had already
anointed a winner: Sequoia Voting Systems, based 35 miles north in Oakland.
It was all over but the voting.
And then the computer scientists showed up: Peter Neumann, principal
computer scientist at R&D firm SRI; Barbara Simons, past president of the
Association for Computing Machinery; and Stanford computer science
professor David Dill. They had been fidgeting in the front of the room
through three hours of what Dill would later call "garbage." Finally, they
stood up and, one by one, made their case.
Voting, they explained, is too important to leave up to computers - at
least, these types of computers. They're vulnerable to malfunction and
mischief that could go undetected. Where they'd already been adopted, the
devices - known in the industry as DREs, short for direct recording
electronic - had experienced glitches that could have called into question
entire elections. And they keep no paper record, no backup. "We said, 'Slow
down. You've got a problem,'" recalls Neumann.
It felt odd - computer scientists inveighing against their own technology
in the tone of geniuses lecturing undergraduates. They had been lobbying
for months, and now "it was like they were making a last stand at Santa
Clara," says one person who was at the meeting. The supervisors listened
politely. "But the board didn't seem to see what it had to do with
anything," says Liz Kniss, a supervisor who shared the concerns raised by
In the end, Kniss and her colleagues voted 3 to 2 to award the contract.
The last stand had failed - almost. At the final moment, the supes insisted
that Sequoia be ready to produce DREs with a paper backup, should the
county ever ask for them. It seemed like a sop to the geeks, but months
later it would prove to be the smartest thing the board did that afternoon.
After Florida and the chaos of the 2000 presidential election, the nation's
voting masters vowed: Never again. Never again would an election be
jeopardized because the mechanics failed, and never again would parsing a
winner be left to human discretion. Officials have scrambled to update
voting equipment, creating a weird, three-pointed confluence of interests:
civil servants, suits, and geeks.
Thanks to Florida, local governments find themselves sitting on piles of
fix-it money - millions from city and county coffers and $3.9 billion from
Congress, thanks to the Help America Vote Act of 2002. The companies that
make voting equipment are rushing to produce machines; at the same time,
big players like Diebold, with almost $2 billion in revenue last year, are
touting transparent, efficient, and chad-free elections. Meanwhile, some of
the nation's elite computer experts and election watchdogs are
hyperventilating. They see a fumbled opportunity - instead of using the
tech to make democracy secure and accurate for the first time, we're
building an electoral infrastructure with more holes than a punch card
ballot. This future is getting hashed out not in Washington (the Feds don't
run elections) but in the nooks and crannies of American politics, like
that Silicon Valley board meeting. "Every year there are legislative
proposals that make election administrators' eyes roll," says Warren
Slocum, chief elections officer for San Mateo County, just south of San
Francisco. "The voting registrar's life has become wildly complex."
That's ironic, because electronic voting is supposed to make elections
easier. The systems themselves are as simple to use as an ATM, and
overvotes - one of the problems in Florida - are impossible. You can't
select a second candidate without deselecting the first. The interface
notes skipped races or ballot questions. With the addition of a simple
numeric keypad and headphones, the visually impaired can vote independently.
Electoral officials get their own set of benefits. For example, some
precincts in Southern California print ballots in Spanish, Vietnamese,
Korean, and Tagalog, among other languages; registrars must guess how many
of each to print before election day. And printed ballots often show
candidates who have dropped out (such as Arianna Huffington in the
California recall). By contrast, touchscreens can be quickly reprogrammed
with new languages and ballot changes. When the polls close, an election
worker inserts an "ender" card that tells the DRE it's time to aggregate
the votes. The machine saves the tally in its internal memory and copies it
to a flash memory card, which the worker removes and transports to a
separate server. That's where the official count takes place - fast enough
for TV networks to name a winner before the bars close.
Yet for all the ostensible advantages, digital voting's recent history
plays like a Marx Brothers movie. In Southern California's Riverside County
in 2000 - the state's first use of touchscreen DREs - a Sequoia server
unaccountably froze, then began counting backward. In the central coast
community of San Luis Obispo in 2002, a machine spontaneously began
reporting totals with five hours left in the election. In Louisiana,
humidity and overheating caused constant crashes. Last November, in
Indiana, DREs reported more than 144,000 votes cast in Boone County, which
has fewer than 19,000 registered voters.
With stories like these, it's not hard to suspect something sinister. One
of evoting's harshest, most vocal critics has been an online journalist
named Bev Harris, a loquacious 52-year-old from the Seattle area with a
keen nose for gossip. Her site blackboxvoting.org chronicles a litany of
malfeasance and incompetence. Faulty equipment, miscounts, and tapping into
vote-counting machines with cell phones are just the start. Harris rails
against the right-wing Christian Ahmanson family's sponsorship of Election
Systems & Software and the failure of US senator Chuck Hagel (R-Nebraska)
to disclose financial ties to the company while its machines were being
used to vote for him. And then there's the now-infamous smoking gun: a
fundraising letter from Diebold's chief executive, Walden O'Dell, assuring
fellow Ohio Republicans, "I am committed to helping Ohio deliver its
electoral votes to the president next year."
Harris has particularly focused on Georgia in 2002, the first statewide
elections using Diebold machines. There, a local IT worker claims he was
hired to install state-certified software in new machines from Diebold but
spent most of a sweaty election eve patching in fixes straight from the
company. A Diebold spokesperson says the company has obeyed the election
laws in every jurisdiction it serves. In that same election, aides to
secretary of state Cathy Cox worried that they would have no way of knowing
whether any given machine at a poll had blown a fuse. So they distributed
8,000 night-lights to polling stations with instructions to plug the
machines into the lights and plug the lights into the wall as an improvised
Lately, DRE critics have targeted the safety of the actual votes. When
Stanford professor Dill put questions about cryptography to a Sequoia
executive at a meeting of California's task force on evoting, the vendor
said that they'd written the crypto themselves. "Do-it-yourself crypto is a
bad idea," says Dill. A Sequoia spokesperson says the company uses
"publicly tested and accepted" encryption standards.
All said, you don't have to be a conspiracy theorist to spin out a
nightmare scenario. A well-orchestrated attack could change the outcome of
an election for the entire country (see "5 Worst-Case Scenarios,"
opposite), and we might never know it happened. Imagine the "Manchurian
Programmer": a domestic political dirty tricks operation or, let's say, the
People's Republic of China - technologically sophisticated, deep-pocketed,
and with previous attempts at election trickery on its rap sheet - finds a
programmer working for a vote-tech market leader and flips him to the
cause. He instructs the machines to record a vote for one candidate as a
vote for another. Normally, safeguards - so-called Logic-and-Accuracy tests
- would catch such a problem. But the Manchurian Programmer writes his code
bomb to operate only between certain hours on election day. The tests miss
the flaw. Just a few votes get swapped, but that's enough. Paul Kocher, CEO
of computer security firm Cryptography Research, says changing only half a
percent of the votes cast could have given the House to the Democrats in
the last election.
Americans have always hoped technology would solve electoral problems. In
the late 1880s, New York and Massachusetts introduced newfangled paper
ballots pioneered in Australia. Lever machines, which reduced the number of
ballots spoiled by error and fraud, first came into use in 1892. And punch
cards appeared in polls in the mid-1960s, when UC Berkeley political
scientist Joseph Harris adapted IBM computer cards. (Harris' prototype IGS
Votomatic turned up in university storage in 2001; now the Smithsonian has
it.) Westinghouse Learning's "mark sense" cards grew out of optical-scan
technologies developed to grade the ACT college entrance exam.
Today, touchscreen machines are spreading faster than any previous voting
technology. In the California recall election in October, 9 percent of
voters made their selection directly on a computer. By the state
presidential primary in March, it'll be 32 percent. "All counties will
eventually utilize touchscreens," says John Groh, senior vice president at
Election Systems & Software. "It will reduce their costs and give everyone
access to the ballot."
It will also create a monster of a market. A midsize state typically needs
20,000 machines, at about $3,000 apiece, plus service contracts and
upgrades. In May 2002, Georgia paid more than $50 million to go digital;
Maryland signed a similarly sized deal. The manufacturers have been on
their own buying spree. In 1997, ES&S started rolling up other companies,
like Business Records, one of the original purveyors of optical-scan units.
In 2002, De La Rue, a British provider of banknotes and other secure
documents, paid $23 million for Sequoia, which then served 70 counties in
Perhaps most fatefully, Diebold got into the game. A maker of safes and
vaults before the Civil War, the Ohio-based company eventually expanded
into alarms and other security systems. In the 1960s, it prototyped an
automated teller machine; today Diebold makes two-thirds of the ATMs in the
US. In 1999, the company bought a South American computer outfit named
Procomp, which was awarded a contract to provide DREs for Brazil's
presidential election. Two years later, in the biggest play so far, Diebold
paid $26 million for Global Election Systems, with sales contracts in more
than 850 North American jurisdictions.
Joe Torre is not your typical Maryland powerbroker, not the kind of
legislative hack who has a sandwich named after him at Chick and Ruth's
Delly - that's how they spell it - a couple of blocks from the state
capitol in Annapolis. But Torre, a native with the appealing near-drawl
indigenous to this near-Southern state, wields his own kind of influence.
He's the voting equipment procurement officer, and last year he spent more
money on election technology than anyone in US history.
See, in 1994, Maryland had its own mini-Florida. The Democratic governor,
Parris Glendening, survived an ugly recount after edging out his opponent,
Republican Ellen Sauerbrey, by just 5,993 votes. Sauerbrey sued, the FBI
got involved, and the state's voting equipment got part of the blame.
Torre and the election board's implementation officer, David Heller,
entertained presentations from at least five companies, small and large.
One of the vendors took hours to set up. Another one, says Heller, had a
system that looked like it ran on vacuum tubes. But Diebold "seemed to have
the most business sense." Torre liked it for a simpler reason: the
familiar, ATM-like interface. In March 2002, the election board bought
5,000 Diebold machines for a pilot program in four counties. Last July,
Maryland agreed to buy 11,000 more. Cost of creating a new infrastructure
for elections: $55.6 million. Cost of not having the FBI oversee those
Then, a few days after the contract with Diebold had been signed, the bits
hit the fan. A computer security expert from Johns Hopkins named Aviel
Rubin published a report eviscerating Diebold's tech.
How Rubin got involved is a bit of a tale. Six months earlier, just after
the supervisors meeting in Silicon Valley, Bev Harris - the anti-DRE writer
- was Googling Diebold. She stumbled on a company FTP site containing what
looked like code for the AccuVote-TS, one of Diebold's touchscreen units.
She announced on her Web site that she'd found the code, but she didn't
know what she had. David Dill did. He passed along word of the Diebold code
Rubin is a leader in the field. He served on a National Science Foundation
panel on computers and voting, and he helped the Costa Rican government
study Internet-based elections. Plus, he gets jazzed about bulletproof code
and rock-solid security the way some guys get jazzed about sports. He'd
even asked Diebold for a machine to dissect (they said no). "Everything
changed when we got to peek under the hood," he says.
Rubin called in two graduate students, Adam Stubblefield and Tadayoshi
Kohno, and told them he had "a drop-everything project." Stubblefield had
been Rubin's intern at AT&T; while there he had confirmed that Wi-Fi
networks were hackable, identifying the encryption keys in just a week.
(The Wi-Fi crypto standard is now being upgraded.) "I talk about 'Adam
units,'" says Rubin. "He does in a day what others do in a month, and Yoshi
is in the same league."
In a few days, Rubin, Stubblefield, and Kohno isolated the encryption keys
that protect data on a Diebold machine. Then they moved on to larger,
structural weaknesses. Rubin published an extensive report criticizing the
devices. "They made mistakes I wouldn't expect an undergraduate in computer
security to make," Rubin says. Programmer logs, previously hacked from
Diebold's Web site, disparaged the code: "This is a bit of a hack for now,"
one note reads. Other problems: The smartcards with which voters log in use
unencrypted passwords (easy to fake - either to vote more than once or
prematurely close out a DRE). The machines are protected by the outdated
Data Encryption Standard, crackable in 24 hours or less. Anyone who wanted
to rig an election could bust open the data files - say, while transporting
flash memory cards - and insert new vote tallies. And Diebold runs it all
on Microsoft Windows CE, not exactly the Fort Knox of operating systems.
When Kohno presented their analysis to some 500 computer security experts
at the Crypto 2003 conference in Santa Barbara last August, "we lost at
least a minute of our five minutes up there to laughs," Rubin says.
The repercussions were immediate - and hardly what Rubin expected. Diebold
initially objected on technical grounds, saying Harris found outdated code.
Then the company sent Rubin a letter warning him to shut up. In September,
Diebold prevailed on Bev Harris' ISP to shut down one of her Web sites that
linked to Diebold memos, and the manufacturer has since sent
cease-and-desist letters to others who posted copies. Maryland officials
maintain they are grateful that Rubin issued his report. As a result, they
hired Science Applications International Corporation do an outside review
of the Diebold machines. SAIC found many of the same flaws. Maryland got
Diebold to close the most egregious gaps in security - the company made
administrator passwords programmable instead of hardwired, improved the
encryption on ballot results transmitted by modem, and gave officials the
ability to alter encryption keys. Then Maryland let the contract with
Diebold go forward.
Rubin doesn't seem to understand entirely why his report got everyone in
Annapolis so upset. "We didn't do it the day before the election," he says.
Stubblefield pipes in: "We expected they would fix it." Rubin admits that a
perfect system is hard to imagine for a population as large as the US (his
solution is an impracticable, multitiered design diagramed on his
whiteboard). The real problem, he points out, is that the soul of computer
security is authorizing specific people to do specific tasks, usually via
password. But connecting specific voters to their selections is precisely
what our secret ballot system forbids.
Standing before the Santa Clara Board of Supervisors back in February,
David Dill pitched a solution. The only way to verify an electronic
election, he said, is to keep a paper trail. In Florida, when the
presidential vote went down the pipes, the state initiated a hand count of
every ballot. Most DREs don't offer that choice. But if they printed a vote
tally in addition to storing the 1s and 0s, a blackhat hacker couldn't
really affect the outcome. "If there's a paper trail," Rubin says, "Osama
bin Laden could write the code and it wouldn't matter."
In late November, California's secretary of state, Kevin Shelley, conceded
the point. He announced that by 2006, all DREs must be equipped with paper.
Other states are expected to follow. While a few small vendors of election
technology say they're ready to comply, only one major player, ES&S, has
produced a prototype that includes paper. It's a kludge, a voting device
grafted to a 1920s-era pneumatic tube transport system. The box has a
plastic pipe attached; the paper ballot pops out for verification, then
whooshes into a lockbox when the voter approves.
Adding paper won't come cheap. Alfie Charles, a spokesperson for Sequoia
and a press officer for California's previous secretary of state, says
it'll tack on 15 percent to the cost of a $3,000 machine. That's an extra
$55 million to $65 million statewide.
So the computer scientists in Silicon Valley are vindicated. But whether
DREs are trustworthy overall is still an open question. California may have
helped with that, too. In the October recall election, voters used a
smorgasbord of devices: optical scan ballots, punch cards, and touchscreens.
Afterward, Rebecca Mercuri, a computer scientist and research fellow at
Harvard's Kennedy School of Government, and a proponent of paper backups,
ran the numbers. Of almost 8.4 million votes cast, 384,427 were not
recorded for the recall question, either because of an error in the ballot
technology or because the voter didn't register a choice (given the nature
of the election, that's not likely). In the parlance of the field, that's a
"residual rate" of about 4.6 percent.
Surprisingly, there was no correlation between residual votes and the type
of voting technology. Some kinds of punch cards, to be outlawed in
California by spring, "fared somewhat better, on average, than all of the
optically scanned and touchscreen systems," Mercuri wrote in an email. And
on the recall question, Diebold's AccuVote TS - the one Rubin cracked and
attacked - lost the fewest votes of all.
Mercuri's ambivalent findings seem likely to disappear in a debate that,
she says, is losing nuance. To people opposed to digital voting, "you've
got two extremes," she says, "the doofuses who don't know how to vote, and
those who are stealing votes in huge numbers." On the other side, vendors
demonize the tech experts without responding to their ideas. And
politicians, under pressure to ensure Florida never happens again, simply
accept the solution offered by the traditional suppliers. By raising the
specter of hacking, Rubin may have distracted attention from the problem of
poor quality. Even David Allen, coauthor of Bev Harris' book, thinks the
danger of hackers has been overemphasized. "Rigging elections is too hard,
and the stakes are too high," he says of Diebold's misadventures in
Georgia. "It's more likely that crappy software threw the election."
The dark secret of running elections is that the people in charge have
never been able to rely on the security of voting machines, computerized or
otherwise. Much of what they call electoral science is actually just
safeguards that have grown up to prevent fraud, beginning with close
observation of voters at the polls. DREs are supposed to improve on
existing systems, but really they're just a way to keep up with newly
revealed problems endemic to the existing system. "There are secure systems
that can be run insecurely," says Torre, "and insecure systems that can be
run securely." Either way, we're facing another presidential election in
5 Worst-case Scenarios
By Paul O'Donnell
Today's digital voting machines don't keep a paper record of individual
votes, so if something goes wrong, there's no backup for the data. And if
history is a guide, something will go wrong. Officials have answers for
every scenario, but some of their solutions are more convincing than others.
SCENARIO: A rogue programmer tweaks the code to swap votes from Democrat to
Republican, or vice versa.
SAFEGUARD: Logic-and-Accuracy testing roots out any such code bombs. And in
the actual program that counts votes, ballot positions are scrambled,
making a switch hard to mastermind.
SCENARIO: A voter upgrades his access with a counterfeit version of the
smartcard issued to every person as they vote. Result: He can vote multiple
SAFEGUARD: The voting booths have no curtains; polling-place volunteers are
trained to watch for suspicious behavior.
SCENARIO: A hacker changes the count on memory cards from individual
machines or on the server used to tally the votes.
SAFEGUARD: The number of votes won't match the totals on hardwired memory
in each DRE device - or the number of voters who signed the rolls.
SCENARIO: A power outage cuts electricity to the polls.
SAFEGUARD: Internal batteries provide juice in a blackout, and many polling
places - schools, churches, and so on - have disaster preparedness kits
that include generators.
SCENARIO: Someone walks out of a polling booth and announces he has gamed
the machine and no one will ever figure out how.
SAFEGUARD: Polling-place staffers take the DRE offline and call tech
support for a diagnostic. Meanwhile they look for obvious discrepancies,
like more votes recorded than voter signatures on the rolls.
Paul O'Donnell is a producer at Beliefnet.
R. A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]