The electronic voting system selected by Maryland and several other states may harbor serious software flaws that could allow voters or poll workers to tinker with election results, a team of Johns Hopkins University computer security experts has reported.
The touch-screen voting machines made by Ohio-based Diebold Election Systems are vulnerable to subversions ranging from multiple voting to vote switching, the Hopkins study concluded. It said some hacks could be accomplished with little expertise, using inexpensive, widely available equipment.
"It's very, very scary," said Aviel Rubin, technical director of Hopkins' Information Security Institute and one of the report's authors. "This is something that is the cornerstone of our democracy. I believe as a society we're moving too fast toward electronic voting."
In a carefully worded statement, Diebold defended the system and said its machines were certified by federal, state and local officials. It said the code the Hopkins researchers tested appears to be outdated and criticized the researchers for not contacting them during the analysis. But the company said it would "reserve judgment on the researchers' fundamental conclusions."
Election supervisors in states with Diebold machines said they are happy with the equipment.
"We've had an outstanding experience," says Michael Barnes, assistant director of elections in Georgia, where 22,000 Diebold voting machines are in use. "I have not had a single call from a voter upset with an election machine."
The Hopkins analysis comes just days after Diebold announced a $55.6 million agreement with Maryland to supply more than 11,000 AccuVote-TS touch-screen voting machines. More than 5,000 are already in use in Allegany, Dorchester, Montgomery and Prince George's counties.
Maryland officials said they expect all jurisdictions except Baltimore City to have the machines ready for voters by the March presidential primary. The city, which uses a different electronic system, has until 2006 to switch to the Diebold machines.
Maryland election officials said yesterday that they had contacted Diebold about the Hopkins report but continued to have confidence in the system.
"With any computer software, you always have some risk," said Linda H. Lamone, state administrator of elections. But she added, "There's so many checks and balances in this process."
She also questioned whether the Hopkins scientists were testing the software code that Maryland's machines use.
The researchers said in their report that software was discovered on a Diebold Internet site in January.
"We believe the software code they evaluated, while sharing similarities to the current code, is outdated and never was used in an actual election," the company said.
But the report heartened critics of electronic voting, who renewed their calls for more open evaluation of the software used in the machines, as well as mandatory paper backup systems.
Since the presidential election of 2000, when flaws in Florida's voting system left the outcome in doubt for 36 days, states have been replacing old machines with new, all-electronic systems.
Manufacturers must submit software and hardware to government agencies for certification. But critics argue that given the importance of voting machines, the process needs to be more rigorous and open.
"This is no way to develop vending machines, let alone voting systems," said Cindy Cohn, legal director of the Electronic Frontier Foundation in San Francisco. "This is our democracy we're talking about. There is an extra onus to ensure people have confidence in their votes."
Many complain that electronic voting systems, including the AccuVote-TS, store a vote only in computer memory, without creating a simultaneous paper record. Without an audit trail, critics argue that electronic voting machines are too vulnerable to fraud or failure.
The Diebold software the Hopkins security researchers acquired was vulnerable in several ways, the report said. One of the flaws concerned the so-called "smartcards" that voters insert into the machine to cast their vote.
The cards contain a small computer chip that ensures each voter casts only one ballot. But Hopkins researchers concluded that by using blank smartcards and smartcard programmers widely available over the Internet, a dishonest voter could cast multiple ballots.
"Any teen-ager in their garage could make one of these," said Tadayoshi Kohno, a Hopkins computer security researcher who worked on the report.
In another case, researchers said they found that someone with more access to the machine - a poll worker, for example - could rig it so that a vote cast for one candidate is actually recorded for another.
"This is no surprise to us," said Damian O'Doherty, a spokesman for the Baltimore County executive's office, which is fighting the state's March deadline to have the Diebold system running.
Baltimore County officials argue that they have neither the staff nor the money to get the job done correctly on time. The county, which currently uses computer-scanned paper ballots, is one of 19 with the March deadline, but the only one to protest, state officials said.
"The technology wasn't ready for prime time. In May, we said the timetable was too aggressive and it would be prudent to cancel the contract," O'Doherty said.
In its statement, Diebold said that the Hopkins research "overlooked the total system of software, hardware, services and poll worker training" the company provides.
Election officials in other states where the Diebold machines are used endorsed that view. "They don't know what version of software it was and are testing it out of context - you have to test the software and hardware together," said Barnes of Georgia.
Brad Clark, registrar of voters for Alameda County, Calif., said his 4,000 Diebold machines, the same as Maryland's, have also performed well and have mechanisms to thwart certain types of fraud: "When the voter votes, it is essentially stores the image of every individual ballot as well as keeps a running total of what the votes are. If at any time those numbers get out of sync with the images, it will stop and won't take any more votes."
But some experts said that even if the software Hopkins analyzed is older code, the report underscores the urgent need to reassess the test process.
"It brings home concretely to people what real computer security problems can exist in these machines," said David Dill, a computer scientist at Stanford and outspoken critic of electronic voting. "It could change votes all over the country."
The Hopkins report is available online in Adobe Acrobat format at http://avirubin.com/vote.pdf.
Sun staff writers Greg Garland and Sara Neufeld contributed to this article.