New Voting Systems Assailed

[R. A. Hettinga]

<http://www.washingtonpost.com/ac2/wp-dyn/A39241-2003Mar27?language=printer>

washingtonpost .com 

New Voting Systems Assailed 
Computer Experts Cite Fraud Potential 

By Dan Keating 
Washington Post Staff Writer 
Friday, March 28, 2003; Page A12 

As election officials rush to spend billions to update the country's
voting machines with electronic systems, computer scientists are
mounting a challenge to the new devices, saying they are less reliable
and less secure from fraud than the equipment they are replacing.

Prompted by the demands of state and federal election reforms,
officials in Maryland, Georgia, Florida and Texas installed the
high-tech voting systems last fall. Officials in those states, and
other proponents of electronic voting, said the computer scientists'
concerns are far-fetched.

"These systems, because of the level of testing they go through, are
the most reliable systems available," said Michael Barnes, who oversaw
Georgia's statewide upgrade. "People were happy with how they
operated."

In Maryland, "the system performed flawlessly in the two statewide
elections last year," said Joseph Torre, the official overseeing the
purchase of the state's new systems. "The public has a lot of
confidence in it, and they love it."

But the scientists' campaign, which began in California's Silicon
Valley in January, has gathered signatures from more than 300 experts,
and the pressure has induced the industry to begin changing course.

Electronic terminals eliminate hanging chads, pencil erasure marks and
the chance that a voter might accidentally select too many
candidates. Under the new systems, voters touch the screen or turn a
dial to make their choices and see a confirmation of those choices
before casting their votes, which are tallied right in the
terminal. Recounts are just a matter of retrieving the data from the
computer again. The only record of the vote is what is stored there.

Critics of such systems say that they are vulnerable to tampering, to
human error and to computer malfunctions -- and that they lack the
most obvious protection, a separate, paper receipt that a voter can
confirm after voting and that can be recounted if problems are
suspected.

Officials who have worked with touch-screen systems say these concerns
are unfounded and, in certain cases, somewhat paranoid.

David Dill, the Stanford University professor of computer science who
launched the petition drive, said, "What people have learned
repeatedly, the hard way, is that the prudent practice -- if you want
to escape with your data intact -- is what other people would perceive
as paranoia."

Other computer scientists, including Rebecca Mercuri of Bryn Mawr
College, say that problems are so likely that they are virtually
guaranteed to occur -- and already have.

Lost and Found 

Mercuri, who has studied voting security for more than a decade,
points to a November 2000 election in South Brunswick, N.J., in which
touch-screen equipment manufactured by Sequoia Voting Systems was
used.

In a race in which voters could pick two candidates from a pair of
Republicans and a pair of Democrats, one machine recorded a vote
pattern that was out of sync with the pattern recorded elsewhere -- no
votes whatsoever for one Republican and one Democrat. Sequoia said at
the time that no votes were lost -- they were just never
registered. Local officials said it didn't matter whether the fault
was the voters' or the machine's, the expected votes were gone.

In October, election officials in Raleigh, N.C., discovered that early
voters had to try several times to record their votes on iVotronic
touch screens from Election Systems and Software. Told of the
problems, officials compared the number of voters to the number of
votes counted and realized that 294 votes had apparently been lost.

When Georgia debuted 22,000 Diebold touch screens last fall, some
people touched one candidate's name on the screen and saw another
candidate's name appear as their choice. Voters who were paying
attention had a chance to correct the error before finalizing their
vote, but those who weren't did not.

Chris Rigall, spokesman for the secretary of state's office, said that
the machines were quickly replaced, but that there was no way of
knowing how many votes were incorrectly counted.

In September in Florida, Miami-Dade and Broward counties had a
different kind of vote loss with ES&S touch-screen equipment: At the
end of the day, precincts that reported hundreds of voters also listed
virtually no votes counted. In that case, technicians were able to
retrieve the votes from the machines.

"If the only way you know that it's working incorrectly is when
there's four votes instead of 1,200 votes, then how do you know that
if it's 1,100 votes instead of 1,200 votes? You'll never know," said
Mercuri.

Because humans are imperfect and computers are complicated, said Ben
Bederson, a professor of computer science at the University of
Maryland, mistakes will always be made. With no backup to test, the
scientists say, mistakes will go undetected.

"I'm not concerned about elections that are a mess," Dill said. "I'm
concerned about elections that appear to go smoothly, and no one knows
that it was all messed up inside the machine."

"We're not paranoid," said Mercuri. "They're avoiding computational
realities. That's the computer science part of it. We can't avoid it
any more than physical scientists can avoid gravity."

The Miami-Dade and Georgia terminals were reprogrammed right up until
the eve of the fall elections. The last-minute patches don't go
through sufficient review, Mercuri said, and any computer that can be
reprogrammed simply by inserting an update cartridge cannot be
considered secure or reliable.

Dill said hackers constantly defeat sophisticated protections for
electronic transactions, bank records, credit reports and
software. "Someone sufficiently unscrupulous, with an investment of
$50,000, could put together a team of people who could very easily
subvert all of the security mechanisms that we've heard about on these
[voting] machines," he said.

People who have sold or administered electronic voting systems,
however, say the scenarios of fraud or widespread, election-changing
error were not of the real world.

'We'd Detect It' 

Howard Cramer, vice president for sales at Sequoia, one of the
nation's largest suppliers of electronic voting systems, noted that
his company has been supplying the systems for a decade and a
half. "Our existing approach is verifiably accurate, 100 percent," he
said. "Some of the things they're saying are flat-out wrong. Some are
conceivable, but outside the likelihood of possibility."

The designer of Georgia's security system, for example, said nobody
could insert a secret program to steal an election when the machines
are created, because no one even knows at that time who the candidates
will be, and the only people with access to the machines at the last
minute are local officials.

"They're talking about what they could do if they had access to the
[computer program] code, if we had no procedures in place and no
physical security in place," said Brit Williams, a computer scientist
at Kennesaw State University. "I'm not arguing with that. But they're
not going to get access to that code. Even if they did, we'd detect
it."

He also said that Georgia's patch was checked before it was installed
and did not affect the tallying of votes. And no one, he said, could
reprogram Georgia's terminals by inserting a cartridge.

"On our machine, the port is in a locked compartment. The only person
in the precinct who has a key to that locked compartment is the
precinct manager. [Critics are] looking at it from a purely computer
science point of view, saying the system is vulnerable, and it would
be vulnerable if we let anyone walk up and stick a card into it, but
that doesn't happen."

After Dill launched his campaign, officials in the Silicon Valley
county of Santa Clara delayed a purchase of 5,000 touch-screen voting
machines. Despite insisting that their systems are reliable and
secure, the nation's leading vendors all immediately agreed to provide
paper receipts, and the California secretary of state announced a task
force to review the security concerns.  A month ago, Santa Clara went
ahead with its $20 million purchase, insisting that receipts be
provided once the state approves the new equipment.

Georgia and Maryland officials said that providing paper receipts may
create more problems than it solves -- that paper would have to be
transported and monitored with security, and printers could
jam. Cramer of Sequoia said paper is unnecessary, costly and may pose
a problem for blind voters.

But if customers want receipts, he said, his company will supply
them. And Williams said receipts may have a place in the system. "The
advantage of a hard piece of paper -- one that a voter would hold in
his hand and say, 'That is who I voted for' -- that is psychological,
and there certainly is value to that. We need public confidence in our
elections," he said.

Similarly, the official overseeing Maryland's program would accept
paper if it were available.

"I've been doing voting systems for 15 years," Torre said. "I don't
care if they give voters a piece of paper or not. If they come out
with a receipt, that's fine. Maybe with the momentum out of
California, we'll have receipts before too long."

© 2003 The Washington Post Company 


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com