PRISON Newswire
PRISON          Copyright 2002-2003 Alex Jones          All rights reserved.
Study raises concerns about electronic voting machines

Beacon Journal

AKRON, Ohio - It was just an obscure Internet portal tucked in one corner of the Web. With a black background and blue writing, it wasn't much to look at - on the surface anyway.

Truth is, the Global Election Systems' Web site was a Pandora's box of controversy just waiting to happen. And it did happen - exposing Global's new owner, Green, Ohio-based Diebold Inc., to a new level of scrutiny. Now Diebold, and perhaps the whole electronic-voting industry, could pay the price.

And it all started with a simple Web site.

That site, which Diebold took over with Global in 2002, contained thousands of sensitive files on the hardware and proprietary software of Diebold's touch-screen voting system, said Bev Harris, a publicist turned e-voting opponent.

Diebold insists the files are just leftover junk.

Still, Harris and other critics say the interworkings of Diebold's machine have been laid bare and criticized, just as most states are making multimillion-dollar decisions about which voting system to buy under the Help America Vote Act.

It's a critical time for the industry's bottom line.

E-voting, once revered as the savior of an antiquated and problematic election system, is slipping off its pedestal. Legislators nationwide are backing off, rethinking their trust in so-called direct-recording electronic (DRE) voting systems. They want answers to mounting allegations of shoddy security.

Diebold maintains its AccuVote-TS voting machine is safe, even though its own Web site sparked the criticism in the first place.

The site's confidential files gave Johns Hopkins University researchers a rare peek into the secretive world of touch-screen DRE voting systems. And they blasted Diebold, asserting in a July 23 study that the company's software is unsafe and an easy target for hackers.

Diebold basically called the Johns Hopkins study hogwash less than a week later. The research, the company said, was based on outdated, incomplete material and biased from the start. But the security concerns chief researcher Avi Rubin raised were still more than enough to rattle officials across the nation.

Legislators in some states have hired outside computer security consultants to reassess Diebold and its competitors. Others in North Dakota and Arizona have put the brakes on new plans involving such equipment.

Even in Ohio, where Diebold was born and raised, state officials peppered every vendor - not just Diebold - with hard questions, said Carlo LoParo, of the Ohio Secretary of State's office.

"We feel that the Johns Hopkins study raises questions about electronic voting in general. Fortunately, the study came at a time in our process when we can ask tough questions," he said last week.

Several states are rushing to select electronic voting vendors to replace old punch-card and lever equipment by 2006. The upgrades are required under the Help America Vote Act and the federal government is doling out $3.9 billion to states to speed up the process.

Ohio alone has already received $41 million to improve its voting system and it expects to get another $32 million this fall. Three touch-screen vendors, including Diebold, are vying for a statewide contract. Diebold had offered to start building voting terminals in Ohio if it alone wins the contract.

But Secretary of State J. Kenneth Blackwell has said he won't select just one vendor. "The Johns Hopkins study raises questions that need answers, not just from Diebold, but from all electronic-voting vendors," he said.

Blackwell had planned to announce his selection on Friday, but a judge issued a temporary restraining order after Sequoia Voting Systems charged that Ohio had unfairly eliminated the company from the selection process.

Rubin and his team of researchers had no kind words for Diebold's AccuVote-TS voting machine in their report, "Analysis of an Electronic Voting System."

Flaws emerged within minutes of examining the software, Rubin said, and weeks of subsequent research found "significant and wide-reaching security vulnerabilities."

The study asserts Diebold's machines are open to manipulation by both outsiders (hackers or malevolent voters) and insiders (company programmers or election staff).

The system is vulnerable through smart-card readers mounted on each machine. A single voter, using a homemade smart card, could "cast multiple ballots without leaving any trace" or terminate the election early, according to the report. A malevolent poll worker could do the same.

Plus, the AccuVote-TS machine is open to hacker attacks through even minimal communication on a computer network, Rubin's team wrote.

"Given that these voting terminals could communicate over insecure phone lines or even wireless Internet connections (to transmit end-of-the-day election results), even unsophisticated attackers can perform untraceable man-in-the-middle attacks," they wrote.

The results of the Johns Hopkins study didn't surprise David Dill, a computer science professor at Stanford University. Dill, an electronic voting critic, is one of the academics who reviewed a draft of Rubin's study before it was published.

"Unless a system has undergone tests by security experts, there will be big holes," he said.

Diebold's desire to keep the details of its software away from the public isn't comforting either, Dill said. Merely hiding that information won't prevent a security breach, he said, and it could just be an excuse to shield shoddy computer programming.

Dill suspects several other vendors, like Election Systems & Software (ES&S) and Sequoia Voting Systems, have similar security problems because they keep their software hidden, too. Both deny such allegations.

Two smaller companies, Populex Corp. and VoteHere Inc., have agreed to release details on their software. Both also launched products to satisfy critics' demands for verify each vote.

Bigger vendors like Diebold say the cost of creating a paper ballot for everyone, as critics demand, is too expensive and unnecessary. (Diebold's terminals are capable of such a task, though.) Rubin's study made it clear the Johns Hopkins researchers disagree with that assessment.

"We were never out to attack Diebold directly, but they took it that way," he said from Washington last week.

Diebold, for its part, has stood by its AccuVote-TS system with unwavering confidence.

Mark G. Radke, director of Diebold Election Systems, called the Johns Hopkins report inaccurate, inappropriate and incomplete.

Not only did the researchers evaluate old software that was in development, but they ran it on the wrong operating system and hardware, he said. "What the authors have is ballot station software," Radke explained Wednesday in a Diebold conference room. "There are a lot of types of software not available to the authors that (together) make the system secure."

He also blasted the researchers for reporting Diebold's voting machine operates online.

"The system is never on the Internet," he said.

However, poll workers can configure an AccuVote-TS terminal to collect election results from other terminals and then send out a "short burst" of information over local telephone lines. That feature is an alternative to manually delivering the vote tallies stored on memory cards in each machine.

Diebold's newest voting machine, the AccuVote-TSX, lets poll workers send the same information wirelessly.

But even if that burst of election data was intercepted, Radke said all the hacker would get are unofficial results, Radke said. An official tally isn't decided until days later, when local election officials compare the votes counted in each machine's memory card to other paper and electronic records.

"We haven't had any problems," he said.

Aside from the technical safeguards, Radke said Rubin and his cohorts overlooked the most important protection against election fraud - hundreds of years of practice. The checks and balances of the U.S. election system were completely ignored, the Diebold executive said.

Poll workers check every voting machine before an election, and they watch their co-workers and voters for any signs of unscrupulous behavior. Such checks, as well as other technical sticking points, make it unlikely that someone could successfully wield a home-brew smart card, Radke said.

"A lot of election officials have been very supportive of Diebold because they realize the flaws in the report," he said.

Mary Kiffmeyer, president of the National Association of Secretaries of State, agreed the Rubin report didn't take election safeguards into account (even though some secretaries of state still jumped off the e-voting bandwagon recently).

No matter what Diebold's supporters say, the company has taken major hit from the Johns Hopkins study. And its competitors could, too, as they take on guilt by association. "That study wasn't a positive one for the DRE part of our industry," said Todd V. Urosevich, of ES&S. "We compete quite fiercely, but we like to see good things happen to our competitors."

Right now, the industry is fending off critics from every direction.

Officials from North Dakota, Arizona and other states want to slow down. So does the the Leadership Conference on Civil Rights, which pushed for electronic machines to help visually impaired and disabled voters. Plus, Maryland just asked for an independent review of Diebold's voting machines.

Radke said the researchers wanted to discredit the electronic voting industry at a crucial time. Any legislative delays in purchasing the equipment will just hurt the disabled voters who stand to benefit from touch-screen terminals the most.

Still, Radke said Diebold Election Systems has plenty of business prospects on the horizon.

Several countries have made inquiries and states won't stop buying Accu-Touch equipment anytime soon. Right now, each precinct only needs one electronic voting machine to meet federal requirements for the disabled. The counties that buy a limited number now probably will come back for machines later.

With such security questions floating around, legislators say they're asking tough questions of the entire electronic voting industry. And, basically, what those questions boil down to is trust.

Should Americans trust the results of federal-level tests on voting systems?

With critics like Dill and Rubin, that's easy to answer, said Doug Lewis, executive director of the Federal Election Commission.

"They want their view to win out, no matter if its fact or fiction," he said.

For legislators and voters, Lewis is a bit more hopeful. "At some point in this society, you have to trust the institutions that are in charge of it," he said.
E Mail This Page