Four years ago, Brad Clark made California electoral history. Armed with a platoon of AccuVote computerized voting machines, Alameda County's registrar of voters rolled into Piedmont and successfully executed the state's first entirely digital election.
Then last year, with the Florida recount fiasco fading from memory and the California recall a mere twinkle in some Republican's eye, Clark spent $12 million to buy AccuVote units for all the county's polling places. These machines, the top-selling e-voting systems on the market, are designed by Diebold, an Ohio-based firm that also produces ATMs, security devices, and money processing systems.
But the new system Clark helped usher past the state elections commission is now a target of programmers who claim it's ripe for fraud. "I do like them," he says calmly of the machines, despite the recall hurricane that has recently descended upon his office. "One of the big reasons I like them is that we are a large urban county and we have these language requirements and we have a disabled population that needs to be served."
From a registrar's perspective, Diebold's touch screens solve many problems that plague elections officials. For example, the system makes it impossible to accidentally vote for two candidates in the same race -- thus nullifying those votes. The ballot can also be read aloud by the computer -- which allows blind citizens to cast ballots without assistance -- or changed into one of twenty languages with the touch of a key.
But this flexibility, programmers say, comes at a price: peace of mind. A harshly critical academic critique of Diebold's system and a host of real-world security problems suggest that electronic vote tabulation is every bit as susceptible as its paper-based predecessor to potential errors and fraud. As a number of California jurisdictions prepare to embrace e-voting in the hastily organized and dazzlingly complex statewide recall, critics fear that the state could be setting up an electoral crisis of Floridian proportions.
Diebold's recent troubles began last winter when Internet snoops went knocking on some virtual doors around the company's servers. One hacker discovered an open file transfer site on Diebold's network. In geek terms, that's a bit like leaving your loading dock open after midnight with no security guards to keep an eye on what's going in and out. The unprotected Web site was filled with seemingly confidential internal documents and code. Word quickly spread, and a combination of activists, hackers, and political junkies gravitated to the site's trove of documents, which have since provided ammo for Diebold's critics.
The first file to be fully analyzed, a software patch titled robgeorgia.zip, concerned the state of Georgia, which had replaced all of its voting machines with AccuVote units prior to its 2002 gubernatorial elections. It was addressed to Rob Behler, a systems contractor employed by the state. Behler's name was on the file because he had uncovered a host of problems with Diebold's Georgia installation. The system's biggest failing was that software on thousands of machines seemed to think the year was 1974, which made it impossible for technicians to boot up the voting machines. "Probably 25 percent of the machines had an error of some type," he recalls. "There's 19,000 statewide ... that's about 5,000."
Behler and his fellow techs worked feverishly the summer before the elections to fix the buggy systems. After he talked to Diebold about the problems, the company placed software patches on its Web site and the technicians downloaded the patches and loaded them directly onto the faulty machines. But it took multiple attempts by Diebold to solve the problems without creating others elsewhere. And because the soft-spoken father of seven had raised an internal stink about the problems, Behler soon found himself without a job, which prompted him to go public with his complaints.
Once the election results were in and the first Republican governor in 134 years was safely in office, a 51-year-old Georgia mother of five heard about these issues through the digital grapevine. Her name is Roxanne Jekot, and she's been a programmer almost as long as she's been a mom. Jekot was so livid about the shenanigans she believes went on prior to the Georgia general elections that she formed the Menopause Militia, a crew comprised mostly of middle-aged, code-slinging mothers whose goal is to demonstrate Diebold's security flaws.
In August, Jekot and her militia approached Georgia officials, offering to prove just how easy it is to hack the Diebold system. Governor Sonny Perdue was willing, but both the company and Secretary of State Cathy Cox, Perdue's political rival, refused. (Cox is expected to run for governor in 2006, and any investigation into election fraud could hurt her chances.)
The software swaps nonetheless raised two serious concerns. That so many machines were malfunctioning threw their reliability into question. And because the operating system and all of the voting code is contained on a single data card, someone with access to the machines -- an elections worker, contractor, or Diebold employee -- could tamper with the machines by uploading a string of custom code on just such a card.
This is exactly what Diebold critic Avi Rubin worries about. An associate professor of computer science at Johns Hopkins University in Maryland, Rubin and some of his colleagues recently wrote a report systematically detailing Diebold's security flaws. The biggest problem, he says, is simply the overall poor quality of the code. "The ballot definition file, if ever modified, could have the votes tabulated for one candidate be tabulated for another," the professor says. "It would have to be an inside job: a delivery truck driver, developer, manager, election official. The gaming industry protects their slot machines. There's nothing like that for elections."
Diebold didn't return phone calls for this story, but it did assail Rubin's report in a lengthy press release: "The software examined in the report was an older version. Second, all software has areas that can be improved." The company's statement goes on to address Rubin's issues with the changing of the ballot definition file: "The attacker would need to have physical access to the file. Preventing this is a matter of process control at election central during the programming of the election."
But that's why the Georgia debacle was so worrisome. Fresh pieces of code were installed directly onto Georgia's voting machines without any supervision. That code could have done anything from swapping Democratic votes for GOP votes, to turning hundreds of tabulated yays to nays. And if such a thing were to happen, there's no paper trail -- and no chance for a recount. "There was no public review of the code they placed on those machines," company critic Jekot fumes. "[Behler] called Diebold and they sent patches. They installed uncertified patches!"
The growing critique of Diebold gained velocity last week after militia member Jim March of Silicon Valley managed to decrypt a compressed data file from the March 2002 primary in San Luis Obispo County. March cracked a file called sloprimary030502.zip that was protected by the password "Sophia," which matched the name of a Diebold employee named Sophia Lee who was then working with the SLO registrar.
The file, he discovered, contained a snapshot of the balloting taken at 3:31 p.m. on election day. If verified, this would be a clear violation of California law: Elections workers cannot legally view results until after the polls close at 8 p.m. "Diebold dumped the results up to their Web site during the primary," March shouts. "They could play the stock market on this information in a larger election. What we've got here is absolute proof that this software that calculates the votes in San Joaquin and Alameda [counties] can be tampered with. You can dick with passwords, you can play with the results."
Critics of the Diebold system demand that manufacturers of electronic voting systems run open-source software (visible to public scrutiny) and produce a paper trail. It's not safe, they say, to sacrifice the possibility of a manual recount for the savings garnered from eliminating printing costs.
But no system is entirely foolproof, offers Glenn Newkirk, an Oklahoma-based elections consultant who works with state legislatures and local governments, and whose firm has seen a sharp uptick in business since Florida 2000. "People vote with paper, then it's tabulated and put into spreadsheets," he says. "People walk around behind lever machines and write down the numbers from the back of the machines. Then they type that information into the computer."
Those computers, however, are not necessarily plugged into the outside world, unlike Diebold's main ballot-tabulation servers; when the polls close, the individual AccuVote machines dial into a central county server to upload their results.
These are all issues Contra Costa County Registrar Steven Weir will soon have to consider. Since 1981 the county has used optical scanners that read SAT-like paper ballots. "I think that it's a mature system that is moving towards the end of its life," he says. "It will not accommodate the blind. By January 1, 2006, we are required to use a system that will accommodate the blind."
Registrars like Weir and Clark must also deal with fiscal realities, and e-voting is ultimately the cheapest way to go. Contra Costa faces three elections this fall and Clark, whose yearly budget is $5 million, has had to dance with the calculator to make the recall election possible in Alameda County. "The recall election was not budgeted at all," he says. "It will cost $1.5 to $2 million to run that. We have money in our budget, but it was for the March primary."
Clark has read Rubin's report and heard the arguments. He acknowledges Diebold's flaws, but has concluded the AccuVote's benefits outweigh its drawbacks. And so far, Georgia hasn't reared its ugly face around here. "Last November, we had some go down during the day, but it was only 1 percent or less. We didn't lose any votes; we simply replaced the machines with new ones." On the integrity of his people, he stands firm as well: "All poll workers," he notes, "are under oath."
At the moment, the registrar's main concern isn't fraud, but simply finding enough volunteers to work the polls. "We always need poll workers," Clark says. "If you want to volunteer, call us at 510-272-6971."
Hackers need not apply.