Every voting method has its weakness, every election its share of incompetence or fraud. Ballot boxes can be stuffed or turn up in strange places, such as a Dumpster. Lever machines preserve no records of individual ballots in case of a recount. Optical-scan cards, which require the voter to blacken a rectangle with a special pen, don’t work when voters fail to follow the directions. “People have tried to mark them with highlighters, with lipstick, or even by punching holes in them,” says Alfie Charles of Sequoia Voting Systems, a manufacturer of touch-screen machines. And ever since the last presidential election, everyone knows what’s wrong with punch cards.
Electronic voting machines are meant to put such sorry episodes behind us. As simple in design as they are sophisticated in their programming, they usually look and function much like ATMs, with touch screens that are nearly impossible to misunderstand. (Diebold Election Systems, one of the three companies that dominate the electronic voting market, is in fact a division of an ATM manufacturer.) There is a crucial difference, though. Bank machines have built-in safeguards against fraud and machine error—paper receipts, identification cards, camera surveillance. Voting machines, on the other hand, are often banned by law from recording a voter’s personal information or handing out paper receipts. Otherwise, someone could buy your vote and demand the receipt as proof.
The pitfalls of paperless voting became clear this January in Broward County, Florida. Broward was the site of one of the more infamous recounts in the 2000 presidential election, so the county switched to electronic machines soon afterward. In the recent election, however, the race for a seat in Florida’s House of Representatives was decided by only 12 votes, and the machines reported 134 blank ballots. The machine or the ballot design probably confused those voters, but there were no paper ballots to recount, no chads to examine. The votes were simply gone.
Electronic voting machines are especially worrisome because they offer the potential for undetected mischief. “You can rig it in an invisible way on a massive scale,” says Peter Neumann, a computer scientist at the consulting company SRI International. With just a little inside knowledge of a machine, a rogue programmer could create a Trojan horse program that looks like useful code but surreptitiously changes votes from one candidate to another. Critics say that voting machine companies, anxious to preserve a NASA-like aura of infallibility, won’t even consider such scenarios. “When you bring it up they get this blank look on their faces,” says David Dill, a professor of computer science at Stanford University. “You can’t even have a serious discussion.”
Until the demand for electronic voting machines swelled in the wake of the 2000 presidential election, the concerns of computer scientists were largely hypothetical. Then in February of last year, source code from Diebold Election Systems turned up on a Diebold Web site, unprotected by any passwords. Four computer scientists from Johns Hopkins and Rice University scrutinized the code (it wasn’t clear how much of it is still used in Diebold’s machines) and published their findings last July. “I don’t think that anyone in their wildest speculation had imagined how bad it would be,” says Lorrie Cranor, a computer scientist at Carnegie Mellon University who has examined Diebold’s code.
The research team concluded that Diebold machines are far from tamper-proof. To activate one of the machines, the voter needs to insert a “smart card”—something like an ATM card with a computer chip in it. But the investigators noted that Diebold had not taken even elementary precautions against forged cards. In the machines themselves, votes were encrypted with a not-very-secret key that was “hard coded” into the software. The research team characterized this as a blunder comparable to giving a master key to everyone in an apartment building: Anyone who figured out the code for one machine could tamper with every machine in the country. “Hard coding is a definite no-no that you learn about in Computer Security 101,” says Yoshi Kohno, one of the authors of the Johns Hopkins report.
Representatives of Diebold argue that voters would never get a chance to create a homemade smart card: They would receive the card at the polls and turn it back in after they finished. “Poll workers would make sure each voter only signs in once, and they would watch their activity to make sure no foul play occurs,” says Mark Radke, Diebold’s director of marketing.