The Cryptography of...Voting Machines

Electronic skullduggery could create greater confusion than hanging chads.

By Dana Mackenzie|Saturday, May 29, 2004
RELATED TAGS: GADGETS, COMPUTERS

Every voting method has its weakness, every election its share of incompetence or fraud. Ballot boxes can be stuffed or turn up in strange places, such as a Dumpster. Lever machines preserve no records of individual ballots in case of a recount. Optical-scan cards, which require the voter to blacken a rectangle with a special pen, don’t work when voters fail to follow the directions. “People have tried to mark them with highlighters, with lipstick, or even by punching holes in them,” says Alfie Charles of Sequoia Voting Systems, a manufacturer of touch-screen machines. And ever since the last presidential election, everyone knows what’s wrong with punch cards.

Electronic voting machines are meant to put such sorry episodes behind us. As simple in design as they are sophisticated in their programming, they usually look and function much like ATMs, with touch screens that are nearly impossible to misunderstand. (Diebold Election Systems, one of the three companies that dominate the electronic voting market, is in fact a division of an ATM manufacturer.) There is a crucial difference, though. Bank machines have built-in safeguards against fraud and machine error—paper receipts, identification cards, camera surveillance. Voting machines, on the other hand, are often banned by law from recording a voter’s personal information or handing out paper receipts. Otherwise, someone could buy your vote and demand the receipt as proof.

The pitfalls of paperless voting became clear this January in Broward County, Florida. Broward was the site of one of the more infamous recounts in the 2000 presidential election, so the county switched to electronic machines soon afterward. In the recent election, however, the race for a seat in Florida’s House of Representatives was decided by only 12 votes, and the machines reported 134 blank ballots. The machine or the ballot design probably confused those voters, but there were no paper ballots to recount, no chads to examine. The votes were simply gone.

Electronic voting machines are especially worrisome because they offer the potential for undetected mischief. “You can rig it in an invisible way on a massive scale,” says Peter Neumann, a computer scientist at the consulting company SRI International. With just a little inside knowledge of a machine, a rogue programmer could create a Trojan horse program that looks like useful code but surreptitiously changes votes from one candidate to another. Critics say that voting machine companies, anxious to preserve a NASA-like aura of infallibility, won’t even consider such scenarios. “When you bring it up they get this blank look on their faces,” says David Dill, a professor of computer science at Stanford University. “You can’t even have a serious discussion.”

Until the demand for electronic voting machines swelled in the wake of the 2000 presidential election, the concerns of computer scientists were largely hypothetical. Then in February of last year, source code from Diebold Election Systems turned up on a Diebold Web site, unprotected by any passwords. Four computer scientists from Johns Hopkins and Rice University scrutinized the code (it wasn’t clear how much of it is still used in Diebold’s machines) and published their findings last July. “I don’t think that anyone in their wildest speculation had imagined how bad it would be,” says Lorrie Cranor, a computer scientist at Carnegie Mellon University who has examined Diebold’s code.

The research team concluded that Diebold machines are far from tamper-proof. To activate one of the machines, the voter needs to insert a “smart card”—something like an ATM card with a computer chip in it. But the investigators noted that Diebold had not taken even elementary precautions against forged cards. In the machines themselves, votes were encrypted with a not-very-secret key that was “hard coded” into the software. The research team characterized this as a blunder comparable to giving a master key to everyone in an apartment building: Anyone who figured out the code for one machine could tamper with every machine in the country. “Hard coding is a definite no-no that you learn about in Computer Security 101,” says Yoshi Kohno, one of the authors of the Johns Hopkins report.

Representatives of Diebold argue that voters would never get a chance to create a homemade smart card: They would receive the card at the polls and turn it back in after they finished. “Poll workers would make sure each voter only signs in once, and they would watch their activity to make sure no foul play occurs,” says Mark Radke, Diebold’s director of marketing.

This past January, at the request of Maryland’s Department of Legislative Services, a “red team” of eight computer security experts set out to test these security measures on a Diebold system configured much as it would be on Election Day. The team had no trouble generating bogus cards: The password required hadn’t changed since the Johns Hopkins report was released six months earlier. One team member picked the lock that physically protected the machine’s memory in 10 seconds—quickly enough to avoid arousing suspicion. That also gave him access to the machine’s keyboard jack, which is not normally available to voters. (No keyboard is provided in the voting booth.) By plugging a PDA into the jack, he could have overwritten the machine’s vote tally.

The red team concluded that such weaknesses could have been fixed before the March primary, but not everyone was convinced. Aviel Rubin, a coauthor of the Johns Hopkins report, says that he would prefer voting by mail to voting on a Diebold machine—and there is no guarantee that other voting machines are any better. The only real solution, says Rebecca Mercuri, a research fellow at the Kennedy School of Government at Harvard University, is to create a new sort of paper trail. After voters punch in their choices on the touch screen, Mercuri suggests, the machine should print them out behind a transparent screen. The voter can either confirm the ballot is correct or void it. If she confirms it, the paper drops into a ballot box, and in case of any dispute or recount, the paper ballot (not the totals in the computer’s memory) becomes the official vote.

Mercuri’s solution, first proposed in a paper she delivered at a computer security conference in 1993, has since inspired a popular movement. An organization called The Computer Ate My Vote, led by entrepreneur Ben Cohen, cofounder of Ben & Jerry’s ice cream, has more than 400,000 members and raised $100,000 in its first two days of fund-raising. In November, Kevin Shelley, California’s secretary of state, issued a directive that all touch-screen voting machines in his state must be equipped with printers by 2006. Nevada has followed suit, and a bill in the U.S. House of Representatives to establish similar requirements nationwide—once given little chance of passing—now has 118 cosponsors and a matching bill in the Senate.

“It’s extraordinarily heartening to see [the need for a paper trail] recognized in state government after state government and up on Capitol Hill,” Mercuri says. Nevertheless, she believes that voters should worry more about programmer error than deliberate fraud. “There are considerably more bad programmers than good hackers,” she says. Printers of paper ballots have been known to make inadvertent mistakes. A local poll worker may catch such an error, but what if the mistake is in a computer program? Can the poll worker be sure the technician who comes to fix the glitch has not made some unauthorized changes?

Still other voting experts believe that electronic voting is relatively safe compared with the alternatives. A team of researchers from MIT and Caltech concluded that as many as 6 million votes were lost in the 2000 election due to confusing ballots, voter registration errors, and poor polling procedures. Diebold’s Mark Radke points out that during the recall election for the governor of California last year, fewer than 1 percent of the voters that used Diebold machines submitted blank ballots—a rate well below that for optical-scan cards (2.7 percent) and punch cards (6.3 percent). The threat of large-scale electronic fraud is a mere fantasy, many election officials conclude, compared with the logistical problems they face every Election Day.

I’m like the average voter. I don’t know [who’s right]. And because I don’t know, I want the confidence that a paper trail provides,” Shelley declared in a recent speech. “The right to vote is the most precious demonstration of our democracy. We must take it seriously, we must cherish it, and all of us, at the county level, at this office, and in the election vendor community, must act accordingly.”

Next Page
1 of 2
Comment on this article
ADVERTISEMENT

Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

ADVERTISEMENT
ADVERTISEMENT
Collapse bottom bar
DSCOctCover
+

Log in to your account

X
Email address:
Password:
Remember me
Forgot your password?
No problem. Click here to have it emailed to you.

Not registered yet?

Register now for FREE. It takes only a few seconds to complete. Register now »