Published on Wednesday, March 10, 2004 by the Baltimore Sun
An Insider's View of Vote Vulnerability
by Avi Rubin
I BECAME EMBROILED in the national debate about electronic voting security when I co-authored a report exposing serious security flaws in Diebold Inc.'s AccuVote-TS machines.
The day before we released our report in July, Maryland officials announced that they were buying $55.6 million worth of these machines. Rather than asking me to work with them, which I offered to do several times, state officials immediately targeted me with criticism and discounted my findings. They continue to do so despite three subsequent studies, two of them paid for by the state, which confirmed our initial findings.
The main problem with electronic voting machines that do not provide voter-verifiable paper ballots is that they are entirely controlled by software.
I worked as an election judge during the March 2 primary in Baltimore County. It was the best thing I could have done to learn about election security. While some of my previous security concerns appeared less threatening given the procedures we followed, others seemed worse.
My July report suggested that a voter could create a bogus voter access card, or smart card, in a garage and cast multiple votes. The procedures in place at the polling site most likely would catch this. We counted all of the voter authorization cards every hour and compared them with the number of votes counted by the machine. We also counted the totals on the machines hourly and compared them with the totals in the registration roster that we used to check in the voters.
If any voter managed to vote multiple times, it would be detected within an hour. I have no idea what we would do in that situation, but we'd have a serious problem on our hands. But at least we would know it.
I was amazed at the number of counts and pieces of paper that we shuffled throughout the day in what was billed as a paperless electronic election.
But the way votes are tallied at the poll site and sent electronically to the central tallying location for all the precincts is much more vulnerable than I previously thought.
Each of the voting machines at the precinct contains a memory card on which votes are tallied.
When the polls close, all of the cards are removed and loaded, one at a time, onto one of the machines. This machine is then connected to a modem, and the vote tallies are transmitted to a central server at the Board of Elections.
My research team observed that the encryption of the modem connection was carried out incorrectly in the Diebold machines so that anyone able to tap the phone lines would be able to tamper with the tally and change votes. In my precinct, the phone line didn't work; the memory cards were taken to the Board of Elections office by the chief judges.
Software is highly complex. I have observed that large software packages are so complex that there is no way to successfully examine a program for malicious behavior. So if voting machine vendors wanted, they could control the outcome of the election with no one ever knowing that the results had been programmed into the voting machines.
Further, there are well-funded foreign powers that would not hesitate to bribe or threaten a programmer to rig the machines so that the outcome of the election went a certain way.
After my experience as a judge, I still believe that the Diebold machines, and ones like them from other vendors, represent a major threat to our democracy. We have put our trust in the outcome of our elections into the hands of a few companies (Ohio-based Diebold Election Systems, Sequoia Voting Systems, which is based in California, and Election Systems and Software in Omaha, Neb.).
They are in a position to control the outcomes of our elections, and there's no way anyone can know if they, or someone working for them, did something underhanded. And meaningful recounts are impossible with these machines.
Voter-verifiable paper ballots could counteract these problems.
We have great people working in the trenches and on the front lines on election days. They are ordinary people, mostly elderly, who believe in our country and our democracy and work like crazy for 16 hours, starting at 6 a.m., to try to keep the mechanics of our elections running smoothly. It's a shame that the e-voting tidal wave has a near-hypnotic effect on these judges and almost all voters.
I am much better equipped after having been a judge to argue against e-voting machines. But I also greatly appreciate how hard it's going to be to fight them because of how much voters and election officials love them.
My biggest fear is that Super Tuesday on March 2 will be viewed as a big success. But the more electronic voting is viewed as successful, the more it will be adopted and the greater will be the risk when someone decides to exploit the weaknesses of these systems.
Avi Rubin, a computer science professor at the Johns Hopkins University specializing in security, cryptography and e-voting, is technical director of the school's Information Security Institute.
Copyright © 2004, The Baltimore Sun