- In January 2003, voting activist Bev Harris was holed
up in the basement of her three-story house in Renton, Washington, searching
the Internet for an electronic voting machine manual, when she made a startling
discovery.
-
- Clicking on a link for a file transfer protocol site
belonging to voting machine maker Diebold Election Systems, Harris found
about 40,000 unprotected computer files. They included source code for
Diebold's AccuVote touch-screen voting machine, program files for its Global
Election Management System tabulation software, a Texas voter-registration
list with voters' names and addresses, and what appeared to be live vote
data from 57 precincts in a 2002 California primary election.
-
- "There was a lot of stuff that shouldn't have been
there," Harris said.
-
- The California file was time-stamped 3:31 p.m. on Election
Day, indicating that Diebold might have obtained the data during voting.
But polling precincts aren't supposed to release votes until after polls
close at 8 p.m. So Harris began to wonder if it were possible for the company
to extract votes during an election and change them without anyone knowing.
-
- A look at the Diebold tabulation program provided a possible
answer.
-
- Harris discovered that she could enter the vote database
using Microsoft Access -- a standard program often bundled with Microsoft
Office -- and change votes without leaving a trace. Diebold hadn't password-protected
the file or secured the audit log, so anyone with access to the tabulation
program during an election -- Diebold employees, election staff or even
hackers if the county server were connected to a phone line -- could change
votes and alter the log to erase the evidence.
-
- "It was getting scarier and scarier," Harris
said. "I was thinking we have an immense problem here that's much
bigger than me."
-
- Over the past year, doubts about the accuracy and integrity
of e-voting equipment have been growing, thanks to Harris' discovery. Some
election officials have called Harris, a 53-year-old mother of five and
a self-employed publicist, a wacko, a conspiracy nut and even a threat
to democracy for her role in raising the controversy. But day by day, other
election officials, secretaries of state, legislators and voters have come
to agree with her that something is seriously wrong with electronic voting
systems and the companies that make them.
-
- In 2002, Congress passed the Help America Vote Act, or
HAVA, which allocated $3.9 billion in matching federal funds to help states
upgrade to new e-voting systems. Touted as the answer to the hanging chads
in Florida that marred the 2000 presidential election, e-voting machines
have been lauded by their makers as faster, more accurate and easier to
use than punch-card and lever machines. But election glitches involving
the systems paint a different picture, depicting machines that sometimes
fail to boot up, fail to record votes or even record them for the wrong
candidates. Computer scientists say the machines are also easy to hack.
-
- In addition to glitches, there are concerns about the
people behind the machines. A few voting company employees have been implicated
in bribery or kickback schemes involving election officials. And there
are concerns about the partisan loyalties of voting executives -- Diebold's
chief executive, for example, is a top fund-raiser for President Bush.
-
- Despite all this, many election officials who have purchased
the machines for their counties deny the systems' vulnerability to miscounts
or rigging and vehemently defend the integrity of the voting companies.
-
- E-voting machines aren't new. They've been around since
the 1960s and '70s, when optical-scan and punch-key machines (where a voter
chooses candidates with a keyboard) were introduced. Paperless touch-screen
machines, also known as Direct Recording Electronic machines, appeared
in the '90s. However, they cost about $3,000 each, and few counties opted
to buy them until funds became available through HAVA.
-
- According to political consulting firm Election Data
Services, about 50 million people in the United States will vote this November
using paperless touch-screen voting machines, while 55 million will use
optical-scan machines that require voters to use a pen to mark a paper
ballot, which an electronic machine then scans.
-
- Both systems have experienced problems in elections.
But when optical-scan machines misread ballots or miscalculate votes, election
officials can re-scan the ballots or recount them by hand. Touch-screen
votes, however, exist only in digital form, so officials can't know if
a machine records votes inaccurately. Nor can they correct the problem
after the fact if somehow they do discover that a machine has recorded
votes inaccurately.
-
- The controversy around e-voting began in September 2002
when Harris read an online article under the provocative headline, "Elections
in America: Assume Crooks Are in Control."
-
- Written by environmental activist Lynn Landes, the article
was based partly on a 1992 book on election rigging called Votescam: The
Stealing of America.
-
- Landes said she realized that the right to vote was useless
as long as she had no way of verifying that her vote was recorded accurately.
-
- "When we're using lever machines, touch-screen voting
machines or the Internet, we are not voting, the machine is voting,"
Landes said. "We're inputting our choice and hoping the machine is
(recording it) correctly."
-
- She was concerned that voting machines were closed to
public scrutiny, and the people who made them were not subject to background
checks.
-
- "Felons and foreigners can, and do, own computer
voting machine companies," Landes wrote, suggesting that the Russian
mafia could be behind U.S. elections and no one would know.
-
- As it turned out, two of the top three companies did
have foreign ties. Diebold Election Systems began as a Canadian firm called
Global Election Systems before being purchased by Ohio-based Diebold Inc.
in January 2002. And Sequoia Voting Systems is owned by two foreign firms
-- 85 percent by De La Rue, a British company, and 15 percent by the Jefferson
Smurfit Group of Ireland.
-
- As for criminal activity, a Sequoia regional manager
was indicted in Louisiana in 2001 for conspiring to commit money laundering
and bribery, although he was never convicted. Philip Foster was accused
of facilitating a 10-year kickback scheme between his brother-in-law and
an election official involving millions of dollars in overcharges for voting
equipment. But while the election official went to jail, Foster, who still
works for Sequoia, received immunity for his testimony and is in the process
of trying to get the charges expunged from his record.
-
- Sequoia spokesman Alfie Charles said the voting equipment
in question wasn't Sequoia equipment, and that "Sequoia has never
been under any investigation regarding the situation in Louisiana and absolutely
no allegations of improper conduct have been directed at the company."
-
- Tom Eschberger, a vice president for the largest voting
firm, Election Systems & Software, or ES&S, was also involved in
a bribery and kickback scheme, this one in Arkansas. Former Arkansas Secretary
of State Bill McCuen was convicted for his role in the crime, but Eschberger,
like Foster, received immunity.
-
- ES&S won't comment on the matter other than to say
that Eschberger "wasn't prosecuted."
-
- "I was casting a net out and challenging other people
to look at this issue," said Landes, the environmental activist. "If
I could find this much disturbing information in a short length of time,
what could other people find?"
-
- Harris was not the least bit interested in voting when
she read Landes' article. She was a book publicist who promoted titles
like They Told Me I Couldn't, a belly dancer's account of sword dancing
through Colombia, and Belly Laughs, a collection of tales from belly dancers
around the world.
-
- But she was interested in investigations. She once had
tracked the moves of an accountant who embezzled $80,000 from her PR business,
and she had conducted background research on Bush's Rangers -- an elite
group of fund-raisers for the president -- for the fun of it.
-
- "I thought, I know how to do this. I'll just go
find this stuff out. I literally viewed it as a 20-minute (project),"
she said.
-
- So one day on a whim, after completing her publicity
calls, Harris typed the words "stock ownership" and the name
Election Systems & Software into a search engine and pulled up a slew
of articles. Reading the oldest ones first because that's where companies
"give information that they haven't yet thought to hide," she
uncovered some startling facts.
-
- Up until 1995, Nebraska Sen. Chuck Hagel had been chairman
of ES&S (then called American Information Systems) before quitting
the company in March of that year two weeks before launching his Senate
bid. ES&S, based in Omaha, Nebraska, manufactured the only voting machines
used in the state in his election the following year. According to Neil
Erickson, Nebraska's deputy secretary of state for elections, the machines
counted 85 percent of votes in Hagel's race; the remaining votes were counted
by hand.
-
- Hagel, a first-time candidate who had lived out of the
state for 20 years, came from behind to win two major upsets in that election:
first in the primary race against a fellow Republican, then in the general
race against Democrat Ben Nelson, the state's popular former governor.
Nelson began the race with a 65 percent to 18 percent lead in the polls,
but Hagel won with 56 percent of the vote, becoming the state's first Republican
senator since 1972.
-
- Now it was October 2002. Hagel was up for re-election,
and Harris discovered that the senator still owned a financial stake in
his former firm. Hagel held investments worth between $1 million and $5
million in the McCarthy Group. (Hagel won't reveal the exact size of his
investment in the asset-management firm.) The McCarthy Group owns about
25 percent of ES&S, according to Hagel's chief of staff, Lou Ann Linehan.
She estimated that Hagel's stake in ES&S amounts to about 1.5 percent.
-
- Hagel disclosed the McCarthy investment in his campaign
filings, but he neglected to mention that McCarthy owned part of the company
counting his votes. His campaign treasurer, Michael R. McCarthy, was also
chairman of the McCarthy Group and a member of ES&S's board of directors.
-
- "That's about all it took," Harris said, expressing
surprise that no reporters had bothered to uncover data that took only
a few Internet searches to find.
-
- In addition to raising concerns about the integrity of
Hagel's election, the information raised concerns for Harris about Hagel's
vote in Congress on HAVA. As he prepared for re-election that year, Hagel,
along with hundreds of other legislators, passed the bill, which devoted
billions of federal dollars to purchasing new voting machines like the
ones ES&S made.
-
- Harris thought someone in Nebraska should know about
this. So, a month before the November election, she faxed a five-page press
release, including supporting documents, to 3,000 journalists around the
country, among them editors for Nebraska newspapers and broadcast stations,
she said. No one responded.
-
- She wasn't surprised that the Omaha World-Herald, the
state's largest newspaper, didn't jump on the story. The Omaha World-Herald
Co., the paper's parent company, owns part of ES&S (the newspaper declined
to say how much). But the silence from other editors stunned her.
-
- "I thought, 'That's strange, it's right there.'
I even circled it (on the documents) for them," she said, noting that
as a book publicist she generally had no trouble getting editors to jump
at cookbooks about beans.
-
- The Omaha World-Herald wouldn't discuss the paper's coverage
of Hagel. But Hagel's staff faxed Wired News a 2,600-word profile of Hagel
published in the World-Herald in October 1996 that briefly mentioned in
three paragraphs the senator's chairmanship of the voting company. It also
noted that World-Herald publisher John Gottschalk was the person who recruited
Hagel to the voting company in 1992. The article, however, didn't address
the potential conflict-of-interest issue.
-
- "We haven't covered it too much. This is kind of
a tricky area," said World-Herald reporter David Kotok, who declined
to say more before hanging up.
-
- When Wired News asked World-Herald executive editor Larry
King about his paper's coverage of Hagel, he said, "You're hitting
me cold with questions about something that happened in 1996. I would never
have one of my reporters do that. I'm not going to respond to this."
Wired News later e-mailed questions to King but he didn't respond.
-
- Harris posted the information about Hagel to her publicity
website, and ES&S sent her a cease-and-desist letter, the first of
three that she would receive from voting companies over the next year.
The letter, hand-delivered by a courier, warned Harris to retract statements
on her website that implicated Hagel in wrongdoing or face a lawsuit.
-
- "That was very frightening," she said. "Especially
because it came with a knock on the door. I knew we stood a very good chance
of losing everything. (My husband and I) have five college-age kids ...
and we had no money for an attorney."
-
- But activism is in Harris' blood. Relatives on her mother's
side hosted a stop on the Underground Railroad, she said. And her husband,
an African-American from the South, was passionate about the right to vote,
long denied to his ancestors.
-
- So Harris contacted a Hagel opponent, Democratic hopeful
Charlie Matulka, a construction worker and first-time office seeker, two
weeks before he was to square off against incumbent Hagel at the polls.
-
- Matulka sent a letter to the Senate Ethics Committee
requesting an investigation into Hagel's finances. But by the time the
committee director responded, Hagel had already won the race. The director
wrote that Matulka's complaint had no merit.
-
- Three months after the election, Alexander Bolton, a
reporter for The Hill, a newspaper covering Capitol Hill, began reporting
a story about Hagel's connection to the voting firm. But before the article
ran, he got a visit from Linehan, the senator's chief of staff, who was
accompanied by "a prominent GOP lawyer." According to Bolton,
they asked him "to soften the story or drop it."
-
- The staff's attempt to influence Bolton's story wasn't
unusual. "That's what congressional staffs do," Bolton said.
But the interest of the GOP lawyer was different. "That was very unusual,"
Bolton said. "I've been at The Hill for over four years and that has
never happened. It's probably because Hagel has presidential ambitions."
-
- Hagel, a 57-year-old telecommunications millionaire and
twice-wounded Vietnam veteran, was on the short list for George W. Bush's
running mate in 2000, a slot that ultimately went to fellow Nebraskan Dick
Cheney. Hagel and his staff haven't ruled out a possible presidential bid
by Hagel in 2008.
-
- They have, however, ruled out Harris' interpretation
of events.
-
- "She's misinformed and she misleads," Linehan
said, adding that Hagel's employment with ES&S was well-known in Nebraska
and was never kept secret. His connection to the McCarthy Group has been
on his bio since 1995, she said, and anyone interested could have connected
the dots to see that he had a financial interest in the voting company.
-
- She also said that under Federal Election Commission
filing rules, which politicians and congressional staffers often complain
are murky and open to interpretation, Hagel didn't have to list the McCarthy
Group's underlying assets.
-
- "When Hagel ran, he knew there would be questions
about what he did and when," Linehan said. "He disclosed everything
he was supposed to disclose in 1995. We never did anything wrong. We did
not mislead."
-
- Linehan faxed a letter to Wired News from the Senate
Ethics Committee dated May 2003, which concluded that Hagel did not violate
its rules. However, the committee had changed the way it traditionally
interpreted the rules after Hagel's staff met with it to discuss the allegations
against the senator. The letter was issued after the rule change.
-
- As for the integrity of Hagel's election, Linehan said
polls conducted by the Omaha World-Herald and Gallup days before Hagel's
1996 race showed him and opponent Ben Nelson neck and neck. She also noted
that the voting machines used in Nebraska were optical-scan machines with
paper ballots. If anyone had questioned the election, officials could have
recounted the ballots.
-
- "But nobody ever questioned the results," Linehan
said.
-
- Hagel's opponent in the 2002 race, Charlie Matulka, did
request a recount, but election officials refused. Matulka wanted the ballots
recounted by hand, but officials said that Nebraska law only permitted
optical-scan ballots to be rescanned in a recount.
-
- Erickson, Nebraska's deputy secretary of state for elections,
said he wasn't concerned about Hagel's connection to the voting company
because the state had been using ES&S's machines for half a dozen years
before Hagel joined the company.
-
- While potential conflicts of interest are disconcerting,
they mean little if voting machines can be trusted to count accurately.
So Harris, after investigating Hagel, decided to look for instances where
e-voting machines counted inaccurately.
-
- "When I put the four magic words into a search engine
-- voting machine and glitch -- there was this litany of miscounts,"
she said.
-
- Harris documented 56 cases in which software flaws were
implicated in miscounts and wrote an account of them (PDF) on her website.
"I didn't finish (finding cases)," she said. "I just got
tired of writing." In Dallas County, Texas, in 1998, for example,
ES&S tabulation software failed to count about 44,000 votes that its
optical-scan machine had recorded on ballots. In 2000 in Allamakee County,
Iowa, 300 ballots fed into an ES&S optical-scan machine produced 4
million votes. The machine broke down repeatedly and flashed absurd numbers
throughout the evening, election auditor Bill Roe Jr. told the Chicago
Tribune.
-
- "Equipment failures such as this are rare,"
wrote ES&S spokeswoman Meghan McCormick in an e-mail when asked about
the problem. "When they do occur we carefully review each situation
and make changes as needed."
-
- Last year in Fairfax County, Virginia, which used machines
made by Advanced Voting Solutions, voters in three precincts complained
that when they touched the box next to school board member Rita Thompson's
name to vote for her, an "X" appeared in the box, but then disappeared.
They had to press the box up to five times before their selection took.
Thompson lost the election by 1 percent of the vote.
-
- Fairfax election officials had promised voters that the
new machines would speed up the reporting of results, but another glitch
prevented poll workers from transmitting votes to the county after polls
closed, producing one of the slowest counts anyone could remember. Fairfax
electoral board secretary Margaret Luca said it was noon the next day before
results were in -- as opposed to 11 p.m. on election night when the county
had finished in the past.
-
- "We've just done an electronic Florida," state
Sen. Ken Cuccinelli (R-Fairfax) told the Washington Post when it was over.
Curiously, Luca gave the voting machines "an A-plus" anyway.
-
- Harris said it concerned her that only large discrepancies
seemed to get reported. "You're going to catch it when you know that
5,000 votes are cast and 140,000 are counted," she said. "But
what if it's a difference of 500 or 100? Who checks?"
-
- Furthermore, she said, "The word 'glitch' ... sounds
benign. Like it's always going to happen. But incorrect software programming
means someone needs to be held accountable.... Besides the fact that there
were programming errors, they were giving the elections to the wrong people."
-
- In the 2002 general election in Scurry County, Texas,
for example, poll workers grew suspicious when two Republican commissioners
won landslide victories on ES&S optical-scan machines. When officials
recounted the ballots twice by hand, the wins went to their Democratic
opponents instead.
-
- The most famous example of election flipping occurred
in the hotly contested 2000 presidential election in Florida when the tabulation
system for Diebold's optical-scan system subtracted votes from Al Gore's
total. While hanging chads distracted the nation, a few people noticed
that in a Volusia County precinct where only 412 people voted, a Diebold
system actually deleted votes for Gore, giving him minus 16,022 votes.
Bush received 2,813 votes. Some news media had already called the win (PDF,
see page 20) for Bush when someone noticed the numbers.
-
- Diebold spokesman David Bear said the problem wasn't
the machine but the result of someone uploading a second, faulty memory
card to the county server after workers had already uploaded the real precinct
results from another card.
-
- "This error was immediately detected, through normal
auditing procedures, and the votes were re-tabulated," Bear wrote
in an e-mail.
-
- In many stories about voting machine glitches that Harris
found, no follow-up news stories explained what went wrong with the machines.
Where explanations did occur, officials blamed poll-worker error or "minor
programming flaws," with the caveat that the glitches didn't affect
the outcome of the election, making them irrelevant.
-
- Election officials, most of whom have no technical background,
relied on the vendors' claims that their systems were fine. In many cases,
it was usually the vendor who stepped in to fix the machines and provide
an explanation to feed reporters. The situation highlighted a concern among
critics that election officials had become increasingly dependent on voting
companies to run their elections.
-
- In fact, the relationship between vendors and election
officials has raised questions about conflicts of interest around the country.
Manufacturers vying for million-dollar contracts have sponsored national
and state conferences for election officials and courted some officials
with expensive meals, cruises and tickets to concerts and sporting events,
according to a Los Angeles Times investigation. They also hire former state
employees to ease their way through contract negotiations and certification
processes.
-
- For example, after she left office, former Florida Secretary
of State Sandra Mortham, a one-time running mate of Florida Gov. Jeb Bush,
became a lobbyist for both ES&S and the Florida Association of Counties.
During that time, the association signed an exclusive endorsement deal
with ES&S to earn a commission on any contracts that counties signed
with the voting company. Karen Marcus, the association's president when
the deal was signed, said Mortham didn't broker the partnership, nor did
the association pressure counties to purchase ES&S machines.
-
- In California, where counties are under court order to
replace punch-card machines and will likely spend $400 million on new equipment,
former Secretary of State Bill Jones praised the virtues of touch-screen
voting while in office in 2001, sponsoring a $200 million bond measure
to help counties purchase new e-voting machines. Support for the bill,
which passed in 2002, was financed by Sequoia and ES&S. Jones became
a consultant for Sequoia after leaving office and is now a GOP Senate candidate.
-
- Lou Dedier, who once supervised the certification process
for voting systems in California, prompted an ethics investigation when
he participated in certification discussions for a competing company after
accepting a job with ES&S. In a company press release announcing his
new job, Dedier called ES&S machines "by far the best elections
systems" he had ever seen.
-
- As Harris began to uncover more information about e-voting
glitches, she decided to write a book about the voting companies and their
machines. She launched BlackBoxVoting to track the progress of her investigation
and contacted several publishers to pitch her idea. But no one wanted to
touch it. They all told her voting was boring.
-
- Only David Allen, a North Carolina publisher of comic
book titles like Bastard Operator From Hell and My Big Fat Geek Wedding,
was interested. It turned out to be a propitious partnership, though, since
Allen had a background in systems administration and could answer some
of Harris' technical questions. It was Allen who sent her in search of
a voting machine manual, which led to the FTP site and the discovery of
Diebold's source code.
-
- "I knew that in order to really understand the potential
for vote-rigging, we had to know how the systems worked," Allen said.
-
- Diebold had installed the FTP site so that employees
around the country could communicate with each other and transfer files.
But somehow the company neglected to secure it. Harris wondered how the
company could secure the nation's elections if it couldn't secure its own
source code.
-
- Ironically, Diebold's parent company was known for its
security products. Diebold began as a safe and bank vault maker in Ohio
in 1859, and over the years has produced jail cells and security systems.
The company developed the system that secures the Hope Diamond at the Smithsonian
Institution and recently constructed security vaults to contain the Constitution,
Bill of Rights and Declaration of Independence at the National Archives.
-
- Currently one of the largest makers of automatic teller
machines, the company entered the voting business in 1999 after purchasing
a Brazilian technology firm and winning a $105.5 million contract to supply
about 200,000 voting systems to the Brazilian government.
-
- In 2002, Diebold jumped into the lucrative U.S. elections
market by acquiring Canada's Global Election Systems and taking over its
division in McKinney, Texas, to launch Diebold Election Systems. In 2000,
prior to the passage of HAVA, Global Election Systems had reported a profit
of just $1.1 million on total revenues of $20.2 million. Last year, Diebold's
election division reported an operating profit of about $100 million.
-
- Even as the company's profits were growing, a handful
of critics were trying to warn the public about the insecurity of e-voting
systems. Their efforts were hampered, however, because none of them had
seen the inside of a voting system.
-
- Harris' discovery of Diebold's source code was significant
because until then the only people who had seen the workings of a voting
system had been forced to sign non-disclosure agreements. Anyone else who
criticized the systems could do so only in theory, without seeing the code.
-
- But the burden of Harris' discovery was heavy. The more
she uncovered, the more she realized that she didn't have the expertise
to sift through the files alone. So she went to Democratic Underground,
an online political forum, seeking people who could help out. Suddenly,
a community movement was born.
-
- For weeks, about 75 people sifted through the files,
including computer programmers who read the software code and lawyers who
advised her about election law.
-
- "That's the first time I really felt that I had
some kind of support network, other than my husband," she said. "I
could hash out ideas and ... everybody had expertise in different things."
-
- As they uncovered more problems with the code and Harris
published their results online, the pressure mounted, as did the paranoia.
Harris worried that Diebold employees reading Democratic Underground would
pose as activists to bait her into revealing information, or into opening
password-protected documents that could get her in trouble. Other activists
talked cryptically about cut brake lines in their cars or expressed suspicions
about having their phone lines tapped.
-
- Harris alternated between feistiness and fear before
deciding that she needed to bring in academic experts who could formally
analyze the code and weigh in on the security of the system.
-
- She contacted Stanford University computer scientist
David Dill, who had served on a California task force on e-voting and launched
a nonprofit called VerifiedVoting.org to educate people about the need
for a voter-verified paper trail. Dill contacted Avi Rubin, a computer
scientist at Johns Hopkins University and director of the university's
Information Security Institute.
-
- At 36, Rubin was only eight months into his new job as
an assistant professor, but he was hardly unseasoned on the topic of e-voting.
-
- In 1997, the Costa Rican government asked AT&T Labs
Research, where Rubin was working, to design an e-voting system. But after
Rubin met with them, "they decided we had scared them sufficiently
about security and scrapped the whole project," he said.
-
- Rubin was also a panelist for an e-voting feasibility
study launched by the National Science Foundation at the request of President
Clinton in 2000. And he had just finished teaching a graduate course on
e-voting security in which students spent the first weeks of the class
designing e-voting systems, then devising ways to break into them.
-
- "No system in the class was unbreakable," Rubin
said. "It was really good training for the Diebold thing."
-
- He contacted two grad students, 25-year-old Yoshi Kohno,
a University of California at San Diego student who was in Maryland for
the summer, and 22-year-old Adam Stubblefield, who was only two years away
from completing his Ph.D. at Johns Hopkins.
-
- Stubblefield made a name for himself in 2001 when he
and a team of researchers that included Rubin cracked the encryption code
used in Wi-Fi networks and exposed the networks' insecurity. The news made
headlines and led the industry to revamp the wireless encryption protocol.
He was also part of a group that broke the music industry's watermark code,
which had been designed to thwart piracy.
-
- Rubin told the students he had a "drop everything"
project. By the time the three convened, Stubblefield had already downloaded
the Diebold code and printed it out.
-
- He and Kohno divvied up reams of paper and attacked the
code with highlighters and pens. Within half an hour they discovered the
first serious flaw.
-
- It was a basic error that students in Cryptography 101
learn never to make: Diebold's programmers had written the key for unscrambling
the system's encryption directly into the code. This meant the key would
never change, and anyone reading the source code (including anyone who
downloaded it from the FTP site) would know it. The same key unlocked the
data on every machine. It was the equivalent of a bank assigning the same
PIN to every customer's ATM card.
-
- "Oh man, we thought, this is horrible," said
Kohno. "We realized that the system was written by novices and we
weren't really surprised then by anything else we found."
-
- For two weeks they did little but pore over the code
and write their analysis. They talked to no one about what they were doing,
fearing that Diebold would try to stop them with a restraining order.
-
- Initially, they thought they might find malicious code
in the software that would allow the results of elections to be changed
at will. Computer scientists had long contended that anyone with access
to a voting system could slip the code in and no one would know.
-
- "We found a system that was so vulnerable in itself
that you didn't need to put malicious code into it to rig an election,"
Kohno said. The system, they concluded, was open to attack from both inside
and out.
-
- In July 2003, they released a 23-page report (PDF). "That's
when the haggis hit the fire," said Allen, the publisher of Harris'
book.
-
- The timing was critical because Rubin's own state, Maryland,
had just signed a $56 million contract to purchase Diebold machines. Georgia
had used 22,000 of the machines exclusively in its 2002 gubernatorial election,
and California was well on its way to purchasing thousands of them.
-
- "There was only a fixed amount of time until the
next primaries to get the machines secure," Rubin said.
-
- None of them could have predicted the publicity that
ensued. TV crews lined the hall outside Rubin's office, and the three spent
the next several days doing nonstop interviews. Rubin went to Capitol Hill
to brief congressional staff and then testified before the Maryland legislature.
He was named a Baltimorean of the year by Baltimore magazine, even though
he'd only moved to the city a year earlier.
-
- David Jefferson, a computer scientist at Lawrence Livermore
National Laboratory who served on California's e-voting task force with
Stanford computer scientist Dill, called the report "a watershed event"
that showed things were "far worse than any of us had ever dreamed."
-
- "It's one thing for a computer scientist to say
we know what the security issues are, but you can only go so far without
having the hard evidence," Jefferson said. "Avi and his authors
were the first to get the hard evidence. I think it was a thunderclap to
the security and election communities."
-
- Diebold derided the report as an amateurish "homework
assignment" by grad students and said the researchers had examined
old code that was never used in an election, a claim that was later disproved.
Election officials accused the Johns Hopkins team of courting media attention
and recklessly undermining the public's confidence in elections. Rubin
said that other critics even sent a letter to the president of Johns Hopkins
trying to get him fired.
-
- "We weren't concerned about being refuted,"
Stubblefield said. "We knew the technical accuracy of what we discovered.
(Critics) could try to spin things against us, but in the end truth prevails."
-
- It wasn't the first time someone had found problems with
Diebold's system. Doug Jones, a computer scientist at the University of
Iowa and a member of Iowa's voting system board of examiners, found the
same problems in 1997 when his state was considering buying the systems.
Jones was particularly disturbed by the same problem that Kohno and Stubblefield
found regarding the encryption key that was coded into the system and was
the same for every voting machine. He told Diebold about his finding, but
a non-disclosure agreement prevented him from going public.
-
- "I was disappointed to see that the company had
done nothing to fix the problems in all of these years," Jones said
after reading the Johns Hopkins report. Diebold spokesman Bear said the
company fixed the encryption key problem after a second research report
came out last September that raised the same concerns raised by Doug Jones
and Rubin's group.
-
- "If any of the multitudes of reviewers of our system
find any issues we immediately investigate the issues and where appropriate
modify the system to address the issues," Bear wrote in an e-mail.
-
- Long before Jones expressed his concerns about the Diebold
system, computer scientist Rebecca Mercuri, an e-voting expert and a fellow
at Harvard University's Kennedy School of Government, had been warning
about the insecurity of e-voting in general ever since her Pennsylvania
county contemplated buying e-voting equipment in 1989. She helped convince
New York City to abandon a planned $60 million voting contract with Sequoia,
but few others, including computer scientists, took her warnings seriously.
-
- Although any voting system is open to fraud, digital
machines made it easier to affect vast numbers of votes with little effort,
Mercuri said. She was the first to call for voter-verified paper ballots
to be used with e-voting machines. The Mercuri Method, as it's now known,
would require machines to produce a paper receipt that voters could see,
but not touch, to verify that the machine recorded their votes correctly
before the receipt is deposited into a secure ballot box. It's a solution
that nearly all critics of e-voting are now demanding.
-
- Jefferson, the computer scientist from Lawrence Livermore,
admits that he "just didn't get it" for many years, and said
Mercuri had been "alone in the wilderness for a long time."
-
- "I think the work that Rebecca and others did before
us put the fuel out there. We just provided the spark," Rubin said.
-
- To many e-voting critics, the Rubin report highlighted
serious problems with federal certification processes and standards, which
they say addressed the functionality of voting systems but not their security.
-
- "If the Diebold system made it through the certification
process, then the certification process is really broken," Rubin said.
There was no reason to believe that systems made by other vendors were
any more secure, he said.
-
- In fact, in a certification report for the Diebold system
that Doug Jones read in 1997, an unnamed certifier for Wyle Laboratories
called the Diebold system, which was then called the I-Mark Electronic
Ballot Station, the best of the lot. "This is the best voting system
software we've ever seen," the certifier wrote.
|