Digital voting What else might be tossed out with the paper and pencils? BY JESS KILBY

The last time Portland saw a morning-after election scandal was back in 1999, when now-state Senator Ethan Strimling challenged incumbent Jack Dawson for a seat on the City Council. When Dawson was announced the winner by a slim margin and Strimling requested a recount, election officials pulled out the paper ballots and let the arguing begin.

In the end, it was decided that the 35 voters who had connected the arrow on the write-in candidate’s line, but not filled in a candidate’s name, had not, indeed, meant to fill in the arrow on the line above, which would have cast a vote for Strimling.

Although the good senator and his supporters may disagree with the final verdict that confirmed Dawson’s victory, nobody involved in the controversy can claim that fraud occurred. Voter confusion and partisan opportunism, maybe (fellow Dems on the Council all voted to give Strim the disputed votes; Republicans lined up behind their man Dawson) — but not once was the allegation made that something funny might have happened on the way to the bank.

Now imagine if those paper ballots, which were tallied by a machine on the first go-around (think Scantron tests and Number 2 pencils), didn’t exist? Imagine instead if the voter stepped up to a device not unlike an ATM machine, used the touch-screen and an accompanying keypad to cast a ballot, and walked away — sans the standard ATM receipt? Election officials would be left without a paper trail to examine should a recount become necessary; all they would have would be a computer file with the final numbers for Candidate A and Candidate B.

Of course, if touch-screen electronic voting machines eliminated all the problems that have historically plagued butterfly ballots, antiquated punch and lever machines, and even Portland’s optical-scan arrows, then the potential need for a recount would be drastically reduced, right?

Sure. But what if the software running these voter ATMs had been tampered with, so a vote for Candidate A was logged as a vote for Candidate B? Or so a person could enter the booth and vote more than once without being caught? Or so, at the end of the night, an unscrupulous election official could replace the correct set of vote tallies with a different set, again undetected? Or, to get outside the realm of the conspiracy theorist, what if someone kicked a plug out or spilled a coffee in a bad place? A paper trail would certainly come in handy in these instances, wouldn’t it?

These are not random musings, but real issues currently facing the voters of this country. Election officials across the nation are striving to comply with a new federal law, the Help America Vote Act (HAVA) of 2002, which was passed after the voter-disenfranchisement debacle in Florida during the 2000 presidential election. HAVA provides one-time funding to help states modernize their voting equipment and improve accessibility, which means many states are now or will soon be switching over to electronic voting systems like the ATM contraption described above.

In Maine, where only hand-counted paper ballots and machine-read optical scan ballots are currently approved for use (each municipality or voting district can choose which approved system it wants to use), an advisory committee led by Secretary of State Dan Gwadosky has filed a HAVA-compliance proposal that calls for the state to purchase at least one direct-recording electronic (DRE) device (the ATM-like machines) or similar system for each voting precinct, to comply with HAVA’s accessibility requirements. Maine has 627 voting precincts, which will mean the purchase of at least that many new machines.

The biggest financial winner in this e-voting boom has been the Ohio-based company Diebold Election Systems (DES), which, among other windfalls, just signed a $55.6-million contract with the state of Maryland — "the largest-ever voting system agreement to date in the United States," touts Diebold in a recent press release. Perhaps coincidentally, HAVA’s co-sponsors are Bob Ney, a Republican congressman from Ohio, and Steny Hoyer, a Democratic congressman from Maryland.

But all is not peachy-keen on the North Canton campus of Diebold Incorporated (the parent company of DES). First there’s the trouble that CEO Walden O’Dell recently caused himself by writing in a Republican fundraising letter that he is "committed to helping Ohio deliver its electoral votes to the president next year."

Far more damaging, though, has been a study by computer scientists at Johns Hopkins University (JHU) that slams Diebold’s DRE voting system for being about as secure as Swiss cheese.

Diebold’s woes began in January 2003, when unnamed sources (who have been alternately described in the media as "whistleblowers" and "unauthorized outsiders") discovered that the company was hosting the source code for its DRE system, plus a treasure trove of other sensitive technical information, on an unsecure Web site.

"The contents of these files amounted to a virtual handbook for vote-tampering," writes investigative journalist Bev Harris in the introduction to her newly released book Black Box Voting (Plan Nine Publishing). "They contained diagrams of remote communications setups, passwords, encryption keys, source code, user manuals, testing protocols, and simulators, as well as files loaded with votes and voting machine software."

The source code for Diebold’s DRE system was passed along to researchers at JHU, who, at the end of July, issued a scathing report on the software’s security flaws. Though Diebold attempted to refute the report, the JHU team has stood by its findings — and attracted the support of many other computer scientists across the country.

The non-technical summary of the JHU report is that all of the hypothetical election hijinks outlined above are actually possible — and not hard to accomplish — when Diebold machines are being used at the polls.

More specifically, the JHU report — which has also become known as the Rubin report, after lead researcher Avi Rubin — explains that Diebold’s engineers either didn’t know or didn’t care what they were doing when they used cryptography to secure the code. In their counter-rebuttal, Rubin’s team writes that "every use of cryptography in the Diebold code is flawed."

First is the botched use of a security concept known as key management, which is a standard protocol in e-commerce transactions (it’s what keeps your credit card number safe as it’s sent through the ether). The Diebold software uses a key for the voter’s smartcard, which resembles an ATM card that the election official wipes clean after each use. The software also uses a key to encrypt the vote.

The problem, Rubin’s team explains, is that "both the keys for the smartcard and the keys used to encrypt the votes were static entries in the source code. This means that the same keys are used on every voting device. Thus, an attacker who was able to compromise a single voting device would have access to the keys for all other voting devices running the same software."

Diebold also cheaped out on the algorithm used to encrypt the votes and the audit log, says Rubin. He cites a paper written about the algorithm — called the Data Encryption Standard (DES) — by the Electronic Frontier Foundation:

"This work describes the design and construction of a machine specifically engineered to recover DES keys. Using 1998 technology, the machine cost under $250,000 and was able recover a DES key in under three days. With today’s computer technology such a machine could be made both significantly faster and less expensive. That Diebold considers the possibility of such a machine being used to find keys for an election machine ‘incredibly unrealistic’ demonstrates a misunderstanding of the threat model."

"Of course," Rubin’s paper adds, "since the Diebold code included a static key, no cracking is required to compromise the security of the system if any one voting terminal can be stolen ahead of the election and disassembled to learn its key."

Diebold’s defense against this point has been less than encouraging. Though the company says the smartcard key is no longer hard-coded, it makes no such claim about the vote key. Rather, Diebold officials say, "[a]n attacker would need access to both the source code and the physical storage," to compromise the system — to which the JHU team responds: "This is not correct. The attacker only needs access to the physical storage as the key is also stored in the executable code."

And tampering with a voting terminal is hardly as difficult as one might think; Wired reporter Kim Zetter published an article the day before the California recall election citing a multitude of security holes she encountered during the training of poll workers in Alameda County, which uses Diebold’s DRE system.

"Officials leave voting machines at polling stations days before the election," Zetter writes. "The machines contain memory cards with ballots already loaded on them. This means before the election, someone could alter the ballot file in such a way that voters would cast votes for the wrong candidate without knowing it."

Though the memory cards are under lock and key, Zetter notes that "supervisors receive a key to the compartment the weekend before the election," and that "the same key fits every machine at a polling station." Moreover, "poll supervisors are selected with no background checks and are given keys to buildings where they can access the machines several days before the election."

(Zetter’s report goes on at length about additional security gaffes; for more details, see the full article at http://www.wired.com/news/politics/0,1283,60713,00.html)

Accusations of chicanery in the recall election are already surfacing. Media critic Mark Crispin Miller reposts on his weblog (markcrispinmiller.blogspot.com) some number crunching done by an anonymous friend of his in South Carolina, who notes a curious spike in votes in Diebold counties for fringe candidates — the implication being that these votes may have been skimmed from Democratic Lt. Governor Cruz Bustamante’s vote total and dispersed among irrelevant challengers. If this sounds like tin-foil-hat territory, take a look at the numbers:

"There were a total of 1,403,375 votes cast in [Diebold] counties combined. The CA total was 7,842,630 at this stage of the count [96 percent of precincts reporting]. Thus 17.89 percent of all the state votes were cast/counted on Diebold equipment."

Statistically speaking, then, each candidate should have received roughly 17.89 percent of his or her votes from Diebold counties. This holds true for the top contenders — Schwarzenegger is at 16.36 percent, Bustamante is at 18.78, Republican state senator Tom McLintock is at 19.08, and many lesser-known candidates are in the same range.

But other long-shots are off the charts in Diebold counties — and these are candidates with no known link to the counties in which they stole the show. For example: Ronald Jason Palmieri, a gay-rights attorney from LA whose campaign motto was "Don’t vote for me," netted 68.3 percent of his votes from Californians using Diebold machines. Jerry Kunzman, a businessman from Richmond, can thank Diebold voters for 91.75 percent of his total vote count. Randall Sprague, a private investigator from Sacramento: 65.1 percent. Bryan Quinn, a 20-year-old college student from San Jose: 50.8 percent. The list goes on.

Crispin Miller’s statistically inclined friend calls these numbers "a meteor hit my car twice this week sort of odds."

"The probability of scoring twice the expected average county percentage could charitably be construed as the upper limit of the possible," he writes. "Some candidates exceed that figure in Diebold counties by a four- or five-fold margin. If you have done statistics, you know that is so far beyond what might be expected that you would reject it as defective data. If it happened to one candidate in this election, I would be surprised but might accept it. [But] there are a large number of candidates who have this same systematic pattern of receiving skimmed votes."

It’s worth mentioning that the machines in question here aren’t just the touch-screen models, which were only used in two of California’s 14 Diebold counties, but also the same optical-scan machines that are used in Maine. The good news: Diebold is one of two state-approved vendors of optical scan machines here, and only 72 of the state’s 627 voting precincts use Diebold machines. The not-so-good news: Though only 22 percent of Maine’s voting precincts use optical-scan machines of any make, this 22 percent comprises some of the state’s most populous areas; more than 65 percent of Mainers who vote do so on an optical-scan machine.

Why this matters: Maine’s other optical-scan vendor is a company called Election Systems & Software (ES&S). The man who founded ES&S, Bob Urosevich, is now the CEO of Diebold Election Systems, and created the original software architecture for DES. The gap between the two companies is small, and combined they own some 80 percent of the American market in voting machines.

Though we’re hardly considered a cutthroat political state, concerned citizens should get involved when it comes time for their municipalities to decide on election-equipment upgrades, and, at the state level, make sure the right questions are asked about the systems being reviewed for approval or purchase. (Perhaps the most important question for DRE machines, above other software issues: Does the system have a voter-verifiable paper trail — a receipt of some sort that shows each voter, in print, how his or her vote was logged?)

The public comment period for Maine’s HAVA-compliance proposal ended July 14, but the Secretary of State’s office is still soliciting voter feedback on the issue.

Don’t let this opportunity go to waste. Because, in a democratic society, our vote is the most powerful tool we have. It should be protected.

Jess Kilby can be reached at jkilby@phx.com

For more information about these issues, check out www.blackboxvoting.com. For a list of questions to ask election-machine vendors, written by JHU’s Avi Rubin, visit http://avirubin.com/vote/response.html and scroll to the end of the document. For a full copy of Maine’s preliminary HAVA plan, visit http://www.maine.gov/sos/cec/elec/hava.htm