How much can state trust electronic voting?

The Baltimore Sun

This Tuesday, for the first time, every voter in Maryland will cast a ballot on a voting system that is entirely electronic. Apart from the important public offices being filled, the stakes are substantial.

Since the controversial outcome of the 2000 presidential election, when the state of Florida laid bare the need to discard outdated voting systems - especially punch-card ballots - more and more states have turned to computers with mixed results.

Voters love their ATM-like ease, but every now and then, they're reminded that the voting machines are just as susceptible to unintended corruption as their home computers.

For instance, during the 2004 presidential election, one machine in a Columbus, Ohio, suburb tallied almost 3,900 more votes for President Bush than he received. The glitch was easily caught because only 638 voters cast presidential ballots at that precinct on election day. Another malfunction wiped out nearly 4,500 votes in local races in Carteret County, N.C.

Some computer scientists argue that the machines are vulnerable to more than isolated and unintentional glitches. More damage could be done, they say, if expert hackers are able to alter the machines' computer code.

A Maryland election official's worst nightmare might play out like this: A low-level worker responsible for the final security check on dozens of voting machines in Baltimore is paid $100,000 by a rogue political operative to insert malicious memory cards in them.

When the machines are activated on election day, these cards erase the voting program on the machine and replace it with one identical in every way except one: Every fifth vote for Candidate X is switched to Candidate Y.

Just how successful such fraud might be in Maryland has long been the subject of lively debate.

Since Congress mandated voting system upgrades when it passed the Help America Vote Act of 2002, two very antagonistic schools of thought have developed on the security of the state's Diebold electronic voting machines: Those who think the threat of such an attack is real and those who think such criticism is absurd.

"Computer science guys are able to get away with what I consider to be shameless scare tactics that don't take into account everything else that goes on in an election," said Donald F. Norris, director of the National Center for the Study of Elections at the University of Maryland, Baltimore County.

By everything else, Norris means locks and tamper tape on the machines; accuracy tests before and during the election; and the thousands of poll workers monitoring voters on Election Day.

And his criticism of fear-mongering among scientists is aimed at Aviel Rubin, the author of one of the first reports exposing flaws in the computer code that drives Maryland's electronic voting machines.

The Johns Hopkins University computer scientist's new book, Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, focuses mostly on the public relations and political fallout from his work. It often paints a less-than-flattering portrait of all of the egos and spin involved, including, at times, his own.

But the book also reveals how horrifyingly easy it was for Rubin to find not only the code that runs the machines, but two critical passwords used to protect them. (An anti-electronic voting activist had found the code unprotected on the manufacturer's computer server - with the passwords imbedded in it - and published it on the Internet.)

Rubin and graduate students at Hopkins and Rice University were among the first to take a look. They found outdated encryption and programming methods, one of which had fallen into disuse in the late 1970s. And the passwords and encryption keys on all of the machines were identical, a fact that Rubin compared to having one key capable of opening every house on a block.

Six months after Rubin released his first study, the state of Maryland hired a group of computer experts at RABA Technologies in Columbia to stage an attack on the system before the March 2004 primary. This time around, the so-called "Red Team" would take into account all of the security surrounding the machines.

What they found was that an attack would be difficult, but not impossible.

To participate in the age-old tradition of vote buying, the thief would need either to be a computer expert or to hire one. The hacker would then need to figure out the password to voters' "smart cards."

Smart cards are the size of ATM cards. But unlike ATM cards, they have a small bronze-colored computer chip imbedded in the center of them, rather than a black stripe on the back. When a voter inserts that card into the voting machine, a pre-programmed ballot appears on the screen.

In January 2004, the Red Team needed only to look at Rubin's report to get the password to every "smart card" in the state. The team, led by Michael Wertheimer, now Chief Technology Officer for the Director of National Intelligence, was easily able to "duplicate" the cards, "change a voter's card" to an election official's card, and "reinitialize" them so that they could be used to vote multiple times.

The Red Team's report found that anyone could purchase all of the technology needed to reprogram these cards "from scratch" for less than $750.

"Think about what it costs to do this, and then think about how much an election is worth," Rubin said. "Becoming president is probably worth billions of dollars. You control a trillion-dollar budget. In comparison, stealing the election costs little."

Since that report, passwords to Maryland election officials' "smart cards" are now assigned on a county-by-county basis - so the password in Howard County is no longer the same as in Baltimore County, greatly reducing the chances of statewide fraud.

But a hacker who had access to the password for Baltimore's smart cards and the necessary equipment and expertise could manufacture thousands of cards capable of casting multiple votes in a mayoral race and recruit an equal number of sinister voters.

The hope is that observant poll workers would catch people spending an awful long time voting or would notice the same screen repeatedly appear.

And at some point during the day, poll workers would discover that the number of votes cast on a machine did not match the number of voters who used it - a check that's done several times during the day by counting receipts election judges have dropped into an envelope taped to the back of every machine.

If a discrepancy is discovered, the hope is that election officials would turn off the machine and recall the voters. But asked what would happen if that were to occur, deputy state elections director Ross Goldstein did not have a definitive answer.

If the totals are just off by a few, Goldstein explained that "sometimes the receipt doesn't make it to the envelope or the voter doesn't give it to the judge. They don't always match 100 percent, but it's sufficient to provide us with a high level of assurance. ... If there's a large problem, we would shut the machine down." What constitutes "a large problem," however, has not been defined.

Proponents of e-voting point out that "stuffing the ballot box" now requires a lot more than it did in the old days. Not only does it require passwords, technical expertise and equipment, but the thief also has to enter the "store," or polling place, to pull off the crime. And to really swing an election, a vast conspiracy of thieves is necessary.

These two facts alone, they say, greatly increase the chances of being caught.

"It is much easier for me, a political scientist, to stuff a ballot box or swap votes on the old paper system than it would be for me corrupt an electronic election," said Norris of UMBC. "There's no evidence of any sort of fraud or corruption like this ever happening on this equipment."

Rubin, however, said that computers make more destructive type of fraud, called wholesale fraud, possible. This type of fraud could be concealed inside the code that drives the machines. Such hacks could be accomplished months, if not years, before an election.

Maryland's electronic voting machines are not connected to the Internet or a computer network, an important security feature. But that also poses problems when the manufacturer needs to upgrade the system. Improvements can't just be downloaded in one fell swoop, they must be manually applied machine-by-machine.

To make that process easier, Diebold Elections Systems designed Maryland's machines so that a new memory card could be inserted into a bay on the right side of the machine. When activated, the machine would "read" from the card and not the software on the system's hard drive.

Should that new memory card contain malicious software, it could "overwrite any file on the system," "invalidate all of the results on that terminal," and if done on the machine used to tally an entire precinct's results, "compromise the entire precinct," according to the Red Team report.

The new software could make a subtle change: switching one in every 100 votes in the race for governor, for instance.

A lock protects the bay for the memory card. To access the bay, one would need a key similar in size to one for a post office box. These election keys, however, are identical for every machine in the state, and it took one member of the Red Team 10 seconds to pick the lock, according to the report.

There are, however, many more effective security measures in place to prevent wholesale election fraud.

In terms of physical security, Baltimore police, for instance, will transport the city's voting machines to and from the storage facility on Franklintown Road and the polling places during the primary.

In addition to getting access to the machine, a seal on the outside of the carrying case would have to be broken, and tamper tape would have to be removed from the bay's key hole to access the memory card. If pulled or tugged on, the word "void" appears in white all over the tape.

Both security features contain serial numbers, so election officials would catch if the seal or tape had been ripped off and replaced.

Most importantly, the machines undergo two critical tests. The first is done right before the machine is locked, called logic and accuracy testing. In Baltimore, contractors and elections officials put several hundred votes on each machine during this test, ensuring that a vote cast for Ehrlich is counted as "Ehrlich," and a vote cast for O'Malley is counted as "O'Malley."

After all of the machines are tested and sealed, two are picked at random. One is sent to Annapolis to be tested on Election Day, and the other one is tested locally at least 10 days before an election.

During these long "parallel tests," which are video-recorded, one person reads a completed test ballot out loud, another casts the votes that are read, and at the end of the test, the hand tally is checked against the machine's tally.

This test is done again on Election Day - for the whole day - for two reasons.

Computer scientists argue that it is possible for a hacker to write a malicious program that would only activate on "09/12/06," the date of the primary. They also argue that it's possible for the hacker to write a program that would only activate after several hundred votes were cast on the machine - after logic and accuracy testing had been completed.

Goldstein, the Maryland election official, said that parallel testing is among the most critical to the security of the election and that Maryland is expanding its Election Day parallel testing this year from four machines to six for the primary and more for the general election in November.

"This answers one of the, I think, most outlandish accusations from computer scientists - that these hacks can sit dormant and then activate on Election Day," Goldstein said. "This is a very robust test in real time on Election Day."

Finding a way around parallel testing is not impossible. But with the exception of a slowly spreading virus transmitted via memory cards, Rubin acknowledges that a successful "wholesale" attack would almost have to be orchestrated by an insider - someone who actually tested the machines prior to the tamper tape being applied or who worked for the manufacturer.

Election officials know this, which is why they often become defensive when accusations of weaknesses in the security and accuracy of the state's voting machines are made.

"Computer scientists always implicate that this is easy to do," Goldstein said. "In no way would it be easy. It requires too much insider information and is so far-fetched."

Many skeptics, concerned about serious computer glitches or actual fraud, have pushed to have a paper-based back-up feature added to Maryland's electronic voting machines. The feature would allow voters to check a printed receipt of their ballot and provide election officials with physical records for possible recounts.

In such systems, the voting machine prints a receipt of the votes cast, which the voter can then view through a piece of plastic to double-check the machine's accuracy.

But a recent study in Cuyahoga County, Ohio, found that these systems also posed problems. The San Francisco-based Election Science Institute concluded that had a recount of the county's May 2 primary been necessary it may not have been possible.

Nearly 10 percent of the county's official ballots - the receipts - were "destroyed, blank, illegible, missing, taped together or otherwise compromised" and described discrepancies among paper and electronic records as "pervasive."

Maryland election officials have been among the most critical of paper trails and confident in their machines' accuracy and security in the country.

Goldstein spoke of a study in which voters were videotaped using electronic machines that allowed voters to view a receipt of their vote through a piece of plastic. But most voters didn't bother and just walked away.

Sun reporter Melissa Harris is a graduate student in government at The Johns Hopkins University's Washington campus.

melissa.harris@baltsun.com

Copyright © 2019, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad
32°