Thursday, May 15, 2008
According to elections firms and election officials, the software and hardware in voting machines is thoroughly inspected and tested before the systems are certified and put on the market for sale to county election directors. Doug Lewis, who heads the Election Center -- a nonprofit management division of the National Association of State Election Directors, which handles part of the voting-machine certification process -- said that "the likelihood of doing something to [a machine] without detection is very, very small."
Lewis says that if you have "malicious code in the system" -- such as a simplistic virus, perhaps, designed to change a vote cast for one candidate into one for his opponent -- the code will be caught in the testing phase of the certification process: "It will not compile right. The testing itself would discover this." Moreover, Lewis says, the testing labs simulate actual voting on each type of machine. The test, which is 163 hours long, "puts tens of thousands of votes into the system, and we know what the outcome is supposed to be."
Lewis says that no voting system ever designed has been perfect. If it's "created by man, it can be destroyed by man," he says. But he believes that several rounds of testing make the machines about as good as we can get them.
Harris finds that hard to believe. In the course of her research, she's uncovered what she says is evidence to suggest that the testing phase of the certification process is flawed. One person she holds up as an example is Dan Spillane, an engineer who worked on the software at a company that made electronic voting machines. Spillane says that national testing labs "are very much like Arthur Andersen in the Enron case": They don't do a very good job. The company Spillane worked for -- he prefers not to have the name published -- would pass systems "with problems that we knew about internally, problems with severity level 1, the highest" on to the testing labs, and the labs would certify the equipment. (Spillane was fired from the company, and he says he plans to sue the firm for wrongful termination.)
Lewis' claim that malicious software "won't compile" is also suspect. Malicious software abounds on computers; on every platform, in every application, from Microsoft Word to e-mail, are bad bits of code. There's no technical reason why one renegade coder at a voting company couldn't slip some pro-Republican or pro-Democratic code into his firm's systems. Computer scientists fear that malicious code can be written so as to evade detection during the testing process, going live only on Election Day.
And for each security procedure that a company might put in place to defeat such efforts, hackers will come up with more sophisticated methods to get around them, says Stanford's David Dill. Recently, worried about the possibility that paperless electronic voting machines will become the national standard, Dill decided to see what others in his field -- people who know about computers and the limits of their security -- could do to let election officials know of the danger.
"Almost any computer scientist I would walk up to would agree with me," says Dill. So he put up a statement of his beliefs regarding electronic voting, and he invited other computer scientists to sign on to it. The statement reads:
"Computerized voting equipment is inherently subject to programming error, equipment malfunction, and malicious tampering. It is therefore crucial that voting equipment provide a voter-verifiable audit trail, by which we mean a permanent record of each vote that can be checked for accuracy by the voter before the vote is submitted, and is difficult or impossible to alter after it has been checked. Many of the electronic voting machines being purchased do not satisfy this requirement. Voting machines should not be purchased or used unless they provide a voter-verifiable audit trail; when such machines are already in use, they should be replaced or modified to provide a voter-verifiable audit trail. Providing a voter-verifiable audit trail should be one of the essential requirements for certification of new voting systems."
The response to Dill's petition was remarkable. In a few weeks, he'd garnered more than 100 signatories, including some of the biggest names in computer security.
Dill recently learned that Santa Clara County is considering purchasing electronic machines that don't print out an audit trail, and he's become an outspoken local advocate against them. He says he's somewhat surprised that election officials haven't taken his and other technologists' concerns more seriously. "I must admit to a certain amount of frustration showing up at these county meetings and hearing that everyone's getting their information from the vendor," he says. "And basically I think that once you get out into the real world, nobody knows who these computer scientists are."
Still, Dill says, his group does "seem to be changing the equation" in Santa Clara, and he thinks that if the county goes the way he'd like -- forcing voting firms to put an audit trail into the machine --- other parts of the country may be more inclined to follow.
Harris has also been popularizing Dill's cause, because she fears that if paperless electronic machines aren't stopped, dire consequences will follow. I asked Harris if she wonders whether she could be too late -- whether there's already been an election in which an electronic machine has produced the wrong result.
"I have worries about Georgia," Harris said. In 2002, the entire state of Georgia used touch-screen machines provided by Diebold. Harris has found an FTP site run by Diebold that allowed anyone with access to the Internet to peruse what might have been important software files concerning the machines used in the state. It's unclear what files were on that site, but Harris wonders whether the programs, which could have been tampered with, were actually loaded onto the voting machines. More recently, Harris found that in an effort to fix a problem that was causing 5 percent of the machines in Georgia to freeze up, Diebold administered a software "patch" to all 22,000 machines in the state shortly before the November election. The patch -- which changes the code on the machine -- was certified "by phone," according to a Georgia election official quoted by Harris.
Joseph Richardson, a spokesman for Diebold, denied that a patch had been applied to the Georgia machines: "We have analyzed that situation and have no indication of that happening at all." In regard to the FTP site, he said, "Our review of this matter indicates there is no merit to the insinuations of security breaches in the Diebold Election Systems solutions. The old Global Election Systems site has been taken down because it contained old, out-of-date material. For 144 years, Diebold has been synonymous with security, and we take security very seriously in all of our products and services." (Georgia elections officials did not respond to phone calls for comment.)
Republicans enjoyed great success in Georgia last year. Defying pre-race polls, voters chose Sonny Perdue, the state's first Republican governor in 135 years, and, for the Senate, the Republican Saxby Chambliss over the incumbent Democrat Max Cleland. After the race, many pundits wondered what had caused the GOP sweep: Was it the president's nonstop campaigning? Had the Democrats dropped the ball on homeland security?
There's every reason to believe that an explanation can be found among those conventional theories. The problem with the widespread use of electronic voting machines, though, is that there's nothing to stop people from thinking that something else, something altogether baser than pure politics, got in the way.
Get Salon in your mailbox!
