- Page A01
Jolted Over Electronic Voting
Report's Security Warning Shakes Some States' Trust
By Brigid Schulte
Washington Post Staff Writer
The Virginia State Board of Elections had a seemingly simple task before it: Certify an upgrade to the state's electronic voting machines. But with a recent report by Johns Hopkins University computer scientists warning that the system's software could easily be hacked into and election results tampered with, the once perfunctory vote now seemed to carry the weight of democracy and the people's trust along with it.
Since being released two weeks ago, the Hopkins report has sent shock waves across the country. Some states have backed away from purchasing any kind of electronic voting machine, despite a new federal law that has created a gold rush by allocating billions to buy the machines and requiring all states, as well as the District of Columbia, to replace antiquated voting equipment by 2006.
Maryland officials, who signed a $55.6 million agreement with Diebold for 11,000 touch-screen voting machines just days before the Hopkins report came out, have asked an international computer security firm to review the system's security. If they don't like what they find, officials have said, the sale will be off.
The report has brought square into the mainstream an obscure but increasingly nasty debate between about 900 computer scientists, who warn that these machines are untrustworthy, and state and local election officials and machine manufacturers, who insist that they are reliable.
Still, even some advocates of the new system are thinking twice. The Leadership Conference on Civil Rights, which pushed for electronic machines to help visually impaired and disabled voters, says the Hopkins report has given them pause. They're calling on President Bush and members of Congress to convene a forum of experts to hash it out. "We have become concerned about these questions of ballot security," said Deputy Director Nancy Zirkin.
Mischelle Townsend, registrar of voters in Riverside County, Calif., said the electronic machines have saved as much as $600,000 in paper every election and, from 1996 to 2000, helped increase voter turnout to 72 percent, up 10 percent.
Any tampering would be caught, she said, in the extensive pre- and post-election testing. The best defense of the machines, she said, is that there has been no documented case of voter fraud. "If the computer scientists had one valid point, one, then why hasn't one incident of what they're saying occurred in all of these elections?"
"Some of these hacking scenarios are highly improbable. But it's not completely out of the question," said Larry J. Sabato, a political scientist at the University of Virginia who has written about political corruption. "When the stakes are high enough in an election, partisans and others will do just about anything. So this is a worry."
"Whoever certified that code as secure should be fired," said Avi Rubin, technical director of the Information Security Institute at Johns Hopkins and co-author of the report.
Rubin analyzed portions of Diebold software source code that was mistakenly left on a public Internet site and concluded that a teenager could manufacture "smart" cards and vote several times. Further, he said, insiders could program the machine to alter election results without detection. All machines had the same password hard-wired into the code. And in some instances, it was set at 1111, a number laughably easy to hack, Rubin said.
Because there is no paper or electronic auditing system in the machine, there would be no way to reconstruct an actual vote, he said.
In a 27-page rebuttal, Diebold dismissed the findings. Officials said that the software Rubin analyzed was old and that only a portion may have been used in an actual election. "Right now, we're very, very confident about the security of our system," said Mark Radke, a Diebold executive. "If there is a way to make it more secure, we're open to that from good, reliable, knowledgeable sources who don't have a previous agenda."
...All machines go through the FEC's testing and certification process, which can cost companies anywhere from $25,000 to $100,000. Yet a 2001 report by the General Accounting Office found that the FEC standards do not thoroughly test for security or user friendliness and that only 37 states follow them.
Doug Jones, a computer scientist in Iowa, said the testing is so secret that even he, as an insider who serves on the state board that certifies voting equipment, can't get information. Five years ago, he found the identical security flaws cited in the Hopkins report.
"They promised it would be fixed," Jones said. "The Hopkins group found clear evidence that it wasn't. Yet for five years, I had been under the impression that it was fixed."
Diebold's Radke said the code has been fixed.
Even the most vocal critics say there are workable solutions. Computer scientists say the companies should release their secret source codes for expert review, as two start-ups, VoteHere and Populex, have agreed to do. Or that states should require automatic upgrade clauses, as Santa Clara County has.
Dill, the Stanford computer scientist, and others are pushing for what are called voter-verified audit trails. By attaching a printer to every machine, voters can review the electronic ballot before it drops into a locked box.