After the hanging-chad fiasco of the 2000 presidential election, Congress funded a nationwide drive to replace punch-card ballots and lever-operated voting machines in time for November 2004. The Help America Vote Act of 2002, or HAVA, authorized $3.9 billion over three years to help state and local governments upgrade their election equipment. The only replacements being considered seriously are electronic voting booths: stand-alone kiosks for which voters are given an encrypted smartcard that identifies them to the computer and lets them vote exactly once. But a report released last week by the Information Security Institute at Johns Hopkins University says the touch-screen machines are Swiss cheese—full of holes—for hackers. “Common voters, without any insider privileges, can cast unlimited votes without being detected,” the report claims. It’s based on an analysis of the software source code for voting machines made by Diebold Election Systems, a division of a company that makes automated teller machines. Someone at Diebold accidentally placed the code on a publicly accessible Internet server in January, resulting in its dissemination around the Net.
Diebold boasts only 33,000 machines in use nationwide, and Omaha, Neb.-based Election Systems & Software, which claims to count 56 percent of America’s vote, has installed a mere 30,000 touch-screen machines in 15 different states. But the state of Maryland, which bought 5,000 of Diebold’s machines last year, just awarded Diebold a contract to replace the rest of the state’s booths with 11,000 more touch-screen units. That’s probably why Baltimore-based JHU’s report sounds like it’s lunging for the emergency brake. “Our analysis shows that this voting system is far below even the most minimal security standards,” it thunders on page one. The report claims the code is riddled with “unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes” (Ack! A geek’s worst insult!) before spelling out a scenario in which a middling hacker steals the vote by stamping out fake voter smartcards using a $100 desktop printer.
Are there bugs in Diebold’s code? Of course there are, same as with any program longer than “Hello, world.” But instead of ‘fessing up, Diebold has issued one press release after another trying to discredit the Johns Hopkins report. Too bad the company didn’t decide to go with the flow instead, by claiming it put the source code on the Internet on purpose. Open-sourcing its software was the smartest mistake Diebold could have made. It’s the only way security experts (real or self-imagined) will ever take the company seriously. The security track record of open-source programs such as the Linux kernel and the Apache Web server suggests that an all-hands review would improve Diebold’s product. And unlike most software products, there’s little business risk. Unlike pirated music CDs, bootleg voting booths based on Diebold’s copyrighted code would be a tough sell to local governments, either in the United States or in the 178 other member nations of the World Intellectual Property Organization.
More important, open-sourcing the voting machines would reduce some people’s nagging fear that the booths are rigged. Even if there were no bugs at all in the code, the installation of hundreds of thousands of new, all-electronic voting machines just in time for President Bush’s next election is already high-octane fuel for conspiracy theorists. News stories on the Diebold flap have ignored the original source of the claims: Bev Harris, a Renton, Wash., publicist and fast-talking progressive activist. The Johns Hopkins study was based on the code Harris found, but by her own admission she is neither an impartial source nor a particularly technical one. Harris claims she found Diebold’s source code online while obsessively Googling for information about the company’s possible connections to the Bush administration. That’s probably why major newspapers, including the New York Times, that have picked up on her discovery have run it without mentioning her. Meanwhile, though, Harris is drawing lots of online links to her black-helicopter claims, which boil down to: Diebold’s machines are designed with back doors into which GOP operatives can download additional “votes.” None have been found, but good luck pointing that out the day after the election.
The two most popular scenarios for Hack the Vote ‘04 are either a Kevin Mitnick-style cyberpunk tapping into the machines remotely, or Cheney board-member cronies who order back doors built into the software. Hollywood-style plots like these are about as likely as they sound. Instead, Stanford University computer science professor David Dill, who has been campaigning for better voting machines, says the most likely hack would be an inside job carried out by an accomplished, partisan hacker who lands a trusted job at Diebold, ES&S, or one of the election offices. “Imagine a programmer, system administrator, or even a janitor who gets access to the code,” Dill says.
Dill points out that most successful computer crimes are pulled off by insiders. It’s the standard M.O. for identity theft: The thief finagles a job at a financial firm, close to the big database of customer accounts, and walks out the door with a copied disk. Likewise, voting machines could be tampered with by insiders who turn out to be party agents, or even a lone gunman with the political drive to match his coding skills—say, a Unix guru who thinks Nader just needs a little help to defeat those corporate campaign contributions.
The only sure check against an outlaw wacko programmer is an army of wacko programmers poring over every line of his work. There are also ways to verify that the booths themselves aren’t running tampered code. Instead of looking for Diebold’s ties to Dick Cheney, we should be watching that quiet new repairman.
Unfortunately, it’s unlikely that any of the voting-machine vendors will go the open-source route. Proprietary code is a given in most corporate cultures, and Jim Barksdale’s conversion to open source at Netscape five years ago didn’t exactly set a great example of successful results. But there’s another feature that should be added to the electronic machines that already record about 20 percent of America’s votes: an old-fashioned paper trail. Dill calls it a “voter verifiable audit trail,” which means that before you leave the booth, you the voter get a printout of what the machine thinks your votes are, for your review. If you agree with the printout, you drop it into a sealed box where it can be used for recounts. Boxes full of paper are much harder to manipulate than electronic tallies. Without a paper copy of your vote stored as a backup, there’s no way to prove whether electronic vote totals were tampered with.
Adding a ballot-printing option to electronic machines should be an easy fix, but unless Congress mandates that elections have a paper trail, don’t expect local governments to line up behind the idea. ES&S claims it will be able to add a printer to existing machines for $500 each—a 10 percent markup. And a Diebold spokesman told me, “While Diebold is certainly capable of producing receipt printers, we currently have no plans to manufacture receipt printers primarily because our customers haven’t requested it.” HAVA passed without requiring a voter-verified audit trail, and a bill to amend it hasn’t gone far in the House. Unless that changes, if you don’t like next November’s election results, at least you’ll be able to blame the computer.