Advertisement
News

A VOTE OF NO CONFIDENCE

In neither appearance nor demeanor does Avi Rubin suggest the aura of a troublemaker. He is slight in stature, bespectacled, well-spoken and neat, if informal, in dress. In conversation, you detect confidence but not quite braggadocio.

He does not seem to be a threat to democracy.

Advertisement

Judging by the reaction to Rubin's most recent work, though, this 35-year-old Johns Hopkins computer scientist might as well be the reincarnation of Josef Stalin, so dangerous is he to the American electoral system.

That is, in the view of his critics. In the opinion of a number of his fellow specialists in the field of computer security, Rubin might someday be regarded as the man who sounded an alarm that preserved the sanctity of elections in the United States, or at least the notion that the candidate elected by the voters will be the one who is actually declared the winner.

Advertisement

What both sides can probably agree on is this: A study conducted by Rubin and two of his graduate students has completely altered a continuing fierce and largely invisible debate about the capacity to safely conduct American elections by way of computers.

The study has thrown state and local election offices across the nation into turmoil. It has also created uncertainty about how hundreds of millions of dollars in taxpayers' money will be spent. Those funds were intended by Congress for the purchase of supposedly state-of-the-art voting machinery to ensure that The Debacle - otherwise known as the Election of 2000 - never happens again.

When Rubin's report appeared, Maryland was on the verge of spending $56 million to buy and install touch-screen computer voting machines from Ohio-based Diebold Elections Systems. The state has now ordered a review of the purchase because Rubin's report all but flatly states that the machinery is essentially junk.

Rubin, to say the least, has caused quite a bit of trouble. For himself as well as election officials. Since late July when he leaked his findings to The New York Times and CNN, he has done one interview after another, spoken to public officials and conferences and appeared on Capitol Hill to help Congress figure out how it's supposed to fix the problem that it already thought it had fixed.

He has also found himself under heavy attack and discovered just how unforgiving life is when you are at the center of a ferocious public controversy in which vast amounts of money and ego are at stake.

"Working on the paper was fun, and the reaction has given me a big charge, but I can't say that part has been fun," he said recently in his sleek Hopkins office the morning after a suddenly typical 14-hour day. "It has been all-consuming and tiring. My wife said just last night she was surprised the kids still recognized me."

It's a lot of attention for a young, untenured associate professor.

Rubin only returned to academia recently, although you could say he was born into it. Both of his parents are college professors at Vanderbilt, his father in English literature and his mother in mechanical engineering. He was born in Kansas and grew up in such disparate places at Israel, Birmingham, Ala., and Nashville. He received his undergraduate and graduate degrees from the University of Michigan. He did research in computer security at Bellcore and AT&T; Labs but ultimately preferred the freedom that only a university could offer.

Advertisement

He turned down tenured positions in some top computer science departments. He was drawn instead to Hopkins because of its new Information Security Institute, where he would have the benefit of several colleagues in his exact field rather than being the lone representative. In January, he joined Hopkins as a junior professor in the computer science department and technical director of the institute.

For the last four years, Rubin has worked in electronic voting security. He has published widely on the topic and was a panelist on the Clinton-ordered National Science Foundation's 2000 feasibility study on electronic voting.

So he has been dead center in what, unknown to most of the voting public, has been an acrimonious debate over the issue of electronic voting. The argument has settled along somewhat surprising lines.

On one side are election professionals, many of whom insist that the day of paper ballots must be left behind in favor of touch-screen voting. "We're long past the point where you can use paper," says Doug Lewis, the venerable head of the National Elections Center, a professional organization of election officials. "For instance, California. You'd have to count 12 million pieces of paper. We're way beyond that."

Arrayed against fully computerized voting are, of all people, a group of computer scientists like Rubin, who insist that the technology to run secure, tamper-proof elections simply does not yet exist.

"I happen to believe that no amount of care by manufacturers is going to make these machines trustworthy," says Stanford University's David Dill, a leader in the movement against electronic voting.

Advertisement

So impassioned is Dill that he took a leave from Stanford to mount a petition drive among computer scientists and technologists to sound a warning about electronic-only voting systems. One of the demands of the petition is that any kind of voting system must be able to produce a verifiable paper audit trail so that everyone can be assured of the results' authenticity.

The fight and the language used in it has been nasty. The election officials say the computer scientists know nothing about elections. The computer scientists say the election officials know nothing about computer security.

Until recently, the computer scientists were forced to make their case about the deficiency of computerized systems on hypothetical grounds. The coding used by the vendors of computer voting systems was kept secret as proprietary information.

But through Diebold's apparent inadvertence, the security experts caught an unexpected break this summer. An activist opposed to electronic voting alerted Dill that the code Diebold uses in its electronic voting machines had made its way onto a New Zealand Web site. Dill immediately understood the chance he had been presented. For the first time, computer security experts could analyze a real, in-use code to determine whether it truly was secure.

He knew Rubin and his work and asked if he was willing to take on the assignment. Was he ever.

Rubin immediately summoned his two graduate assistants, Adam Stubblefield, 22, and Yoshi Kohno, 25, whom he calls "about the most formidable team you could have."

Advertisement

"I told them to drop everything. I've got an incredible opportunity here. A major vendor has had its code leaked and I want to analyze it."

Rubin did not enter into the escapade naively or without an understanding of the possible ramifications. He is sophisticated about press coverage, maintaining a Web page about himself, complete with links to numerous news articles in which he is mentioned. He and Stubblefield were part of a team that in 2001 exposed serious flaws in wireless networks, which led to higher standards in the industry. Less momentously, he also received attention for pinpointing security problems with nanny cams.

If his prior work in electronic voting didn't suggest what he would find, the fact that Diebold's code had made its way onto the Web gave him insight into the company's appreciation of security. "If I had my biggest trade secret exposed, I would have done everything to cover it, but they didn't do anything."

The analysis of the Diebold system took two grueling weeks. Rubin insisted on a fast turnaround. Like a news reporter, he wanted to beat everyone else to print. "It was exciting because we knew we were the first to look at the coding of a vendor, and we knew it was going to be historic."

The three didn't sleep much during those two weeks in July. In the middle of it, Kohno and his wife drove to a wedding in Maine, she at the wheel, he in the passenger seat typing away on his laptop. "I said to my wife, 'I'm doing what I love with the person I love.' She had a different view of it."

Within the first hour of work, Rubin says he knew the Diebold system was vulnerable to outside attack and manipulation of results. The code, he says, is a security nightmare.

Advertisement

"You can tell good code from bad code, and we found serious security flaws. It's like an English professor looking at something by someone who doesn't write very well."

Still, Rubin says he was shocked by how deficient the coding was. "The more we looked, the more we found. They were obviously not experts in developing secure code, and they weren't disciplined in writing security.

"I wouldn't expect any student who took any of my classes would write a code like that."

They wrote up their results in a paper and circulated it to a few colleagues such as Dill for comment. "The universal reaction was, 'Wow, you guys found the smoking gun.' "

Rubin had to decide what to do next. One possibility was to contact Diebold directly, but the risk was that the company would go to court to block him from publication. Other computer scientists, in fact, admit that they would have passed on the project altogether for fear of being sued.

Rubin didn't want to be prevented from publishing, and he also didn't want to wait the many months it would take for an academic journal to produce his paper. He knew that many states and localities already had used computers in elections in 2002 and that far more planned to do so in 2004. He believed public policymakers needed the information as soon as possible.

Advertisement

So he decided to leak the paper to the press. He wasn't exactly prepared for the intensity of what happened after the story broke July 24. "We knew the magnitude of what we had found but underestimated the firestorm we had created."

There was a flood of media attention and nervous calls from public officials. There was a backlash from some election officials and Diebold's firm dismissal of the report. Lewis, with the Election Center, called the report "unscientific and unacademic." In an interview last week, Lewis accused Rubin and his colleagues of nothing less than undermining public confidence in elections.

"We've been in America under the belief that our process works and if we end up destroying fundamental faith in that process it makes it hard to have faith in the government that results from it," Lewis said. What he left unsaid is that a sizable number of Americans believe Al Gore should rightfully be in the White House today.

"Fortunately for me," said Rubin, "I'm at an academic institution that backs its researchers. That would not have happened at AT&T.; I could have lost my job."

Rubin's colleagues in computer security have stood firmly and happily behind the report. The paper, says David Jefferson, a computer scientist at Lawrence Livermore National Laboratory and an expert in electronic voting security, is "the most important event that happened in this debate. It was sudden and it changes everything. Now every official has to feel that they have to take notice."

Jefferson says the report proved the situation even more dire than he had believed. "Once I read Avi's paper I realized that my worst fears had been realized," he says. "If what Avi wrote is actually true, the code is dangerously amateurish and should never have been used for voting systems, should never have been certified in the first place and should immediately be decertified."

Advertisement

It also gives more credence to a position many computer security experts have been espousing. Contrary to what intuition might suggest, they believe the software codes of electronic voting systems should not be secret. They should be made available to everyone, so they can be truly tested to reassure the voting public.

Critics of the report have made efforts to discredit it. Lance Hoffman, a computer securities expert at George Washington University, said he was contacted by an organization he doesn't want to name to see if he was willing to write a retort to Rubin's report. "I said no self-respecting computer scientist can go against the Rubin report, and maybe Diebold should rethink how they develop software."

The biggest opening, however, was supplied by Rubin himself. Nearly a month after the report, he revealed that he was a member of the technical advisory board of a company, VoteHere, that designs cryptographic systems and software for the manufacturers of electronic voting equipment. Although VoteHere is not a direct competitor of Diebold, the company seized on the disclosure, pronouncing itself "shocked and disappointed" by Rubin's admission and called it further evidence of his "bias."

Rubin says he had not profited from the relationship and had not been in contact with VoteHere for two years. Nevertheless, he said he was returning stock options and resigning from the board.

But the damage was done. "I don't think it helps his credibility," says Steve Fought, legislative director for Congresswoman Marcy Kaptur, D-Ohio. "He should have made those interests known up front and early, but I don't think that takes away from the validity of the report."

Fought's boss is among a bipartisan group of representatives who are looking into making changes in the Help America Vote Act, the $3.9 billion bill enacted by Congress last year to quickly address the problems uncovered in the 2000 election. With little thought or research, Congress set the nation on the path toward electronic voting. Rubin's report provides concrete evidence for a view that is quickly gaining ground, that Congress perhaps acted far too hastily.

Advertisement

"Rubin's report brought to light that electronic systems were not as secure as perhaps Congress had thought," Fought says.

Just back from a cryptographic conference in Santa Barbara, Calif., where he and his team received an award for their report on Diebold, Rubin is convinced he did the right thing, no matter how much trouble he caused.

"It was not my intention to be a troublemaker. But if there was going to be that much spent on machines that are insecure, then I suppose I've done a good thing."

Security might be a problem for electronic voting, but it doesn't seem to be for Rubin.


Advertisement