[link to index of press clippings]

The New York Times

The Big Gamble on Electronic Voting

Sept. 24, 2006

HANGING chads made it difficult to read voter intentions in 2000. Hotel minibar keys may do the same for the elections in November.

The mechanics of voting have undergone a major change since the imbroglio that engulfed presidential balloting in 2000. Embarrassed by an election that had to be settled by the Supreme Court, Congress passed the Help America Vote Act of 2002, which provided funds to improve voting equipment.

From 2003 to 2005, some $3 billion flew out of the federal purse for equipment purchases. Nothing said state of the art like a paperless voting machine that electronically records and tallies votes with the tap of a touch screen. Election Data Services ... estimates that about 40 percent of registered voters will use an electronic machine in the coming elections.

One brand of machine leads in market share by a sizable margin: the AccuVote, made by Diebold Election Systems. Two weeks ago, however, Diebold suffered one of the worst kinds of public embarrassment ...

Edward W. Felten, a professor of computer science at Princeton, and his student collaborators conducted a demonstration with an AccuVote TS and noticed that the key to the machines memory card slot appeared to be similar to one that a staff member had at home.

When he brought the key into the office and tried it, the door protecting the AccuVotes memory card slot swung open obligingly. Upon examination, the key turned out to be a standard industrial part used in simple locks for office furniture, computer cases, jukeboxes and hotel minibars.

Once the memory card slot was accessible, how difficult would it be to introduce malicious software that could manipulate vote tallies? That is one of the questions that Professor Felten and two of his students, Ariel J. Feldman and J. Alex Haldeman, have been investigating. In the face of Diebolds refusal to let scientists test the AccuVote, the Princeton team got its hands on a machine only with the help of a third party.

Even before the researchers had made the serendipitous discovery about the minibar key, they had released a devastating critique of the AccuVotes security ...

The researchers demonstrated the machines vulnerability to an attack by means of code that can be introduced with a memory card. The program they devised does not tamper with the voting process. The machine records each vote as it should, and makes a backup copy, too.

Every 15 seconds or so, however, the rogue program checks the internal vote tallies, then adds and subtracts votes, as needed, to reach programmed targets; it also makes identical changes in the backup file. The alterations cannot be detected later because the total number of votes perfectly matches the total number of voters. At the end of the election day, the rogue program erases itself, leaving no trace.

On Sept. 13, when Princetons Center for Information Technology Policy posted its findings, Diebold issued a press release that shrugged off the demonstration and analysis. It said Princetons AccuVote machine was two generations old and not used anywhere in the country.

... Professor Felten ... said he could not imagine how a newer version of the AccuVotes software could protect itself against this kind of attack. ...

Mark G. Radke, director for marketing at Diebold, said that the AccuVote machines were certified by state election officials and that no academic researcher would be permitted to test an AccuVote supplied by the company. ...

I persisted. Suppose, I asked, that a test machine were placed in the custodial care of the United States Election Assistance Commission, a government agency. Mr. Radke demurred again, saying the companys critics were so focused on software that they have no appreciation of physical security that protects the machines from intrusion.

This same point was featured prominently in the companys press release that criticized the Princeton study, saying it all but ignores physical security and election procedures. ...

If skeptics cannot believe what they read about the ease of manipulating an election, they can watch the 10-minute online video: the AccuVote lock is picked, a memory card is inserted and the malicious software is loaded; the machine is rebooted, and within 60 seconds the machine is ready to throw the election in favor of any specified candidate.

Computer scientists with expertise in security issues have been sounding alarms for years. David L. Dill at Stanford and Douglas W. Jones at the University of Iowa were among the first to alert the public to potential problems. But the possibility of vote theft by electronic means remained nothing more than a hypothesis until the summer of 2003, when the code for the AccuVotes operating system was discovered on a Diebold server that was publicly accessible.

The code quickly made its way into researchers hands. ... At a computer security conference, the AccuVotes anatomy was analyzed closely by a team: Aviel D. Rubin, a computer science professor at Johns Hopkins; two junior associates, Tadayoshi Kohno and Adam Stubblefield; and Dan S. Wallach, an associate professor in computer science at Rice. They described how the AccuVote software design rendered the machine vulnerable to manipulation by smart cards. They found that the standard protections to prevent alteration of the internal code were missing; they characterized the system as far below even the most minimal security standards.

Professor Rubin has just published a nontechnical memoir, Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting (Morgan Road Books), ...

Recently, there have been signs that states are having second thoughts about trusting their AccuVote equipment. ...

Professor Rubin favors the use of touch screens only for ballot marking capturing a voters intended choice then printing out a paper ballot ...

Manual audits of the tallies in at least 1 percent of all precincts, as is now required in California, would provide a transparent method of checking for integrity. ...

Let computers do what they do best, Professor Rubin said, and let paper do what it does best.