How Safe Is Your E-Vote?
Elections go digital, but experts fear a crash
It's either the best thing ever to happen to elections, or the stupidest blunder our elected officials have ever made; the savior of our democracy, or a conspiracy to steal it; an idea whose time has come, or a hapless symbol of society's naive faith in technology.
Electronic voting hasn't completely boiled over into the nation's greater consciousness ... yet. But it's on a high simmer. It has staunch defenders, passionate detractors, and one way or another, it will make a huge impact on the 2004 elections.
The push for computerized voting gained momentum after the 2000 presidential election, also known as the biggest electoral fiasco in U.S. history. An appalled nation learned what an imperfect science elections are hanging chads, allegations of fraud, and butterfly ballots making Jews vote for Pat Buchanan. Surely, we were told, in our modern computer age, we could do better than this.
In some eyes, computers seemed the obvious answer. No chads. No stray marks. No spoiled ballots (in fact, no paper). No need for human judgment about "voter intent" at all. The result was the 2002 federal Help America Vote Act which does not specifically require electronic voting, but does provide funding to help states replace punch-card and lever voting systems. Many jurisdictions all over the nation are choosing "direct recording electronic" systems.
But while election administrators are generally enthralled with the new technology and a number of companies are rushing to meet the demand others are not embracing DRE voting. And the critics are not just the usual conspiracy theorists. The strongest condemnation is coming from the people who best know the limitations of computerization: computer scientists.
What will electronic voting mean for Travis Co. (and the rest of Texas) and how might our experience compare to the rest of the nation?
Perhaps the best way to understand electronic voting in Travis Co. is to understand what it is not.
It is not Diebold. And it is not ES&S, nor Sequoia. Those three firms are the market leaders in the electronic voting system business, and thus quite naturally have become lightning rods especially Diebold for the nationwide movement against electronic voting.
Diebold and ES&S (Election Systems & Software) have some conspicuous Republican connections that automatically make yellow dogs go on point. Diebold CEO Walden O'Dell is a Bush "Pioneer" collecting at least $100,000 in Bush campaign contributions and in a now notorious 2003 quote, he said he was "committed to helping Ohio deliver its electoral votes to the president next year," a statement widely denounced as proof positive that Diebold's machines will be rigged to favor Republicans. In context, O'Dell was clearly referring to fundraising, not vote stealing. But quicker than you can say "conspiracy," the credibility of his company was damaged. As for ES&S, one of its board members (and former CEO) is Nebraska Republican Sen. Chuck Hagel, raising an obvious question of conflict of interest between campaigning for votes and producing the machines that will tally them.
But one good reason to doubt the Republican electronic coup theory of e-voting is that in fact, many of the election officials aggressively pushing for e-voting including Travis Co. Clerk Dana DeBeauvoir are longtime Democrats.
Many computer experts express much more concrete concerns that the available equipment doesn't offer the security an election requires. Three key studies have focused on these doubts: A group of scientists at Rice and Johns Hopkins universities snagged a copy of a Diebold source code that was inadvertently posted on the Internet and examined it; and the secretaries of state of both Ohio and Maryland commissioned studies that were highly critical of Diebold. All three studies charged that the machines were highly vulnerable to tampering. (Diebold responded that the Rice/Johns Hopkins scientists examined an outdated source code; as for the Maryland study, the company actually claimed that it praised the Diebold AccuVote machines a spin that dismayed the study's authors. (See What the Studies Say)
Even more troubling are reports of malfunctions, computer or human in origin, that have caused problems in actual elections. Among other things, there have been instances of more votes being registered than were actually cast, voters pressing on one candidate but the machine registering the vote for another, or votes simply vanishing.
So what's the difference in Travis Co.? In brief, Hart InterCivic an Austin-based company trying to broaden its market, in part with an apparently more reliable product.
Hart InterCivic morphed out of Hart Graphics, a printing company founded in 1912. In recent years, as the document industry moved increasingly from paper to electronic formats, Hart developed extensive digitized business with governmental agencies. In 1999, the government-related portion of the business spun into the completely separate Hart InterCivic, which is becoming a major national player in the growing DRE-machine industry.
The eSlate Connection
Hart's product is called the eSlate a small electronic tablet, of sorts, specialized for casting ballots in elections. In the summer of 2002, Travis Co. Clerk Dana DeBeauvoir purchased several hundred eSlates and gave them a successful trial run in the early voting period of the November 2002 elections. The county went whole hog into e-voting in the spring 2003 Austin municipal elections, scrapping its optical scanning system altogether. DeBeauvoir says her choice of eSlate was not simply an attempt to Buy Greater Austin, but that Hart InterCivic's machine has several obvious advantages over its rivals.
Unlike Hart's major competitors, the eSlate does not use a touch screen. "I had trouble with calibration issues on the touch screens," DeBeauvoir says, meaning that the onscreen "buttons" that the voter presses sometimes slip out of alignment with the proper sensors underneath the screen. "Not all of them, but some of them. It's what happened in Dallas [during early voting in the 2002 general election, on ES&S machines]; you end up maybe casting a ballot for the other candidate and don't realize it. They've done some things in the industry to try to improve it since I first looked at it, so in fairness to them, I think they have improved their product, but at the time I was doing the review I found it troubling."
Instead, eSlate uses a wheel-and-button system the voter turns a dial until the candidate of choice is highlighted, and then presses a button to select the candidate, never touching the screen. (As in all DRE systems, the voter can correct errors before finally pressing the "cast ballot" button.)
Secondly, eSlate does not use "smart cards," credit-card-sized devices given by the election workers to voters, who plug them into a voter terminal, letting the machine know that the person standing before it is indeed a legitimate voter. The Rice/Johns Hopkins researchers say that it would be terribly easy to "homebrew" such cards, which an attacker could then sneak into the polling place and use to cast multiple votes. The eSlate voters, in contrast, are assigned unique personal identification numbers when they show up at the polling place, which they then enter into the voting machine. The number's validity expires either upon casting the ballot, or, if unused, within a few minutes of its assignment.
Perhaps most important, the eSlate system has no external connections no hookups to phone lines, the Internet, or an intranet. While some systems allow results to be sent by modem to a central vote-counting facility, the eSlate is comparatively old-fashioned much like an old-style ballot box, the devices ("mediums") into which votes are recorded are removed by the election judges after the polls close and physically transported to the central counting station. Asked if she would ever try to transmit election results over the Internet or modem, DeBeauvoir said, "No way. ... Never."
In fact, trying to find specific criticisms of eSlate or Hart is difficult. Searches of Internet and Nexis databases turn up only minor reports of human error and no major security failures by eSlate. And in her book Black Box Voting: Ballot-Tampering in the 21st Century, Bev Harris the nation's most visible nonscientist critic of e-voting limited her criticism of Hart to the company's Republican-leaning investors.
Other critics even give Hart qualified praise.
"Those touch screens are just utter crap," says Rebecca Mercuri, a research fellow at Harvard University's John F. Kennedy School of Government and a very prominent e-voting critic. "Even the banking industry had gone away from them years ago, because they malfunction so badly. It's a smart move on Hart's part to not use that. Also, for the disabled, I think it's a very nice interface, that sort of wheellike thing."
Dan Wallach, the Rice University scientist who worked on the Diebold study, says, "I think in terms of human factors, accessibility, that sort of thing, the design of the Hart system where instead of using the touch screen they use the rotary knob I think there are a number of ... benefits to that kind of design; that somebody who's blind uses the same kind of interface as everybody else."
"Of course, it doesn't much matter if everybody uses the same interface if nobody has confidence that their votes are recorded properly," continues Wallach.
'The Mercuri Method'
While concern about DRE voting has barely coalesced into a movement in Austin, there is a small network of citizens and groups around the region trading e-mails and worries, most notably the centex-evote e-mailing list (go to www.groups.yahoo.com/group/centex-evote to join). A new group addressing the issue, called Texas Safe Voting, is a coalition among the ACLU of Texas, Campaigns for People, Common Cause, and the Electronic Frontier Foundation of Austin.
There are two major public objections to all e-voting systems, including eSlate: None provides a printed ballot for voters to confirm their choices or that could be used in case of a recount; and, the groups insist, the hardware, software, and source code should be available for public review. Even DeBeauvoir admits of eSlate, "Could it be more secure? The answer is yes."
"The main point about the Hart InterCivic machine is the same main point that electronic-voting activists and computer security professionals have been making across the board, which is, without a voter-verifiable paper trail, no all-electronic voting system can be considered really secure and reliable," says Adina Levin, director of the Cyber Liberties Project of the ACLU-Texas and chair of the E-Voting Project of the Electronic Frontier Foundation of Austin.
DeBeauvoir is not as concerned about computer error she notes that the eSlate has triple-redundancy storage mediums than can be cross-checked, real-time audit logs, and can recall an image of each ballot that has been cast (although it cannot match the ballot with the person who cast it).
That's not enough, responds Levin. "If I choose on my touch screen or Hart selector, and something goes wrong between the thing that I choose and the thing that gets written electronically, even if it gets written in three different places, or 10 different places, or a hundred different places, it's still different from what I selected. And if I don't have an independent way of recording what I [saw on the computer screen] and going back to check, there's no way of knowing. You're never, ever gonna know."
The paper system proposal is simple enough: After a ballot is cast electronically, a paper copy would be printed and verified by the voter; if a voter says the printed vote does not match what he or she selected, the vote can be nullified and recast, and possibly the machine checked for malfunction. (A bill before Congress would mandate such a "voter-verified" system, and California Secretary of State Kevin Shelley has ordered that all election systems in his state have one by 2006.)
DeBeauvoir has her doubts. She wonders how such a system could accommodate those who are vision-impaired a driving force behind the e-voting push is compliance with the Americans With Disabilities Act, and e-voting systems provide headphone audio that allows blind people to vote without assistance. She also expresses concern over the mechanics of such a process: Could a voter walk out with the paper ballot? Does the voter get his/her own copy (raising the fear of vote buying)? Is the paper ballot printed before or after the "cast ballot" button is pressed?
Mercuri says she has an answer for all those questions a system she devised that her colleagues have dubbed the "Mercuri Method."
"There's a script, and all of the election officials have these negative points. I've heard them before, I've heard her say them," says Mercuri. "I've explained this to her [Mercuri and DeBeauvoir both serve on the Elections Security Subcommittee of the Institute of Electrical and Electronic Engineers], and she's heard me explain this on at least two occasions, so the fact that she's still saying that is amazing.
"That's ridiculous. Nobody ever says that when we're talking about, you know, like an optical scan ballot: 'Oh, the people are going to leave the polling place with the ballot.' First of all, if a person leaves with it, then they didn't vote. If you're going to go to that type of system, people need to understand that. Now, if you go to my article called A Better Ballot Box, you'll see a picture that shows how it could work. ... The person never touches the piece of paper. ... When they see the vote on the screen and they're ready to vote, they say OK, print the paper. It prints it out behind a piece of Plexiglas; they see paper behind the piece of Plexiglas; if they agree that it's OK, they press the button and it drops in the box. So how can they walk out with it?"
As for the disability issue, Mercuri says that visually impaired or even illiterate voters could use voice-feedback scanners to read the paper ballot.
In any case, DeBeauvoir cannot implement a paper-trail system any changes to voting machines or balloting procedures must first be approved by the Texas secretary of state, and then by the Travis Co. Commissioners Court so voters will have to settle for another paperless election. DeBeauvoir insists that she is not necessarily opposed to a printed ballot system. "I'm willing to do it," she says, "if [Travis Co. citizens] decide it's the right thing to do." She said she wasn't sure how much it would cost to retrofit Travis Co.'s 1,800 eSlate machines which are not currently designed to hook up to a printer but "a ballpark estimate would be a million dollars."
Hart InterCivic Vice-President William Stotesbery told a recent Austin forum on e-voting that the industry sees the writing on the wall on paper ballots and will move in that direction anyway. But he also told the Chronicle that in addition to the cost, "What worries me about paper is introducing a false sense of security. There was election rigging with paper ballots, too."
Paper ballots aside, voting machine companies are much less likely to share their source codes. (Source codes, often copyrighted, are the digitized instructions programmers use to define and operate a particular type of software.) At the moment, they flat-out refuse to do it, arguing that secrecy protects both their proprietary secrets and election security.
Going to the Source
Wallach disagrees. "Open source is not a panacea for security problems, although it's often a good thing," he told the same e-voting forum that Stotesbery addressed. "Open source means that you have the opportunity for people who care to go have a look. Diebold accidentally opened their source, and we found a number of problems, and as a direct result of that, other people have been hired to go have a look. Open source doesn't necessarily imply that you're giving a source code away for free; it doesn't mean that you're giving your intellectual property for the whole world to use.
"An argument that's often made as to why you shouldn't give source code away is that if the bad guy can see the source code, that gives the bad guy an advantage, so we should prevent that. These arguments are typically referred to as 'security through obscurity,' and it just doesn't work, and it never has, and it never will. The bad guy will always know how it works, because one of those machines will fall off the back of a truck. It's just a matter of time. Then the bad guy can tear it apart. Or the bad guy can go Dumpster diving and find a burned CD with a copy of your source code somebody made as a backup, or the bad guy can get somebody employed at your firm, perhaps as a janitor, perhaps as a programmer, and walk away with your source code. So as long as that's part of your threat model, and I think that's a reasonable threat model for an election, you can't build your security around the obscurity, so you should build it around something else."
Wallach explained further: "An ATM is secure despite the fact that bad guys know exactly how it works. A voting system should work despite the bad guy knowing."
Stotesbery responds, "Frankly, we think that security and protection of the code does increase the security of it, and we have a difference of opinion on that. ... Our customers feel more comfortable with it not being open in most cases, [and] we feel more comfortable with it." Stotesbery also says that the code actually isn't completely secret, as it is submitted to governmental agencies for certification, under the condition that it is not made public; and he insists that copyright and patent law alone are insufficient to protect trade secrets.
The Ohio secretary of state report, completed in November of last year, raised additional concerns: Hart does not use encryption to protect election data sent from the eSlate machine to the election judge's controller booth; supervisory functions in the booth (including the button to close the polls) do not have a mandatory password; and the machines are all connected to the booth through a "daisy chain" of cables that an unauthorized person could easily reach and accidentally or intentionally unplug, disrupting the election.
While the report labeled these as "high risk" problems, DeBeauvoir and Stotesbery disagree Travis Co. already requires a password, she said, and Hart plans to redesign the eSlate to make passwords mandatory; Hart plans to incorporate encryption, and in any case, the data only travels a few feet from the voting booth to the judge's booth. Finally, should the daisy chain be unplugged, DeBeauvoir says, no data would be lost and the machines could be reconnected and rebooted in a few minutes. (Hart fared better in the Ohio study than any of its competitors, which had more risk areas identified, including the possibility of outside parties getting access to a DRE system and altering the data within it.)
One of the charges in the Rice/Johns Hopkins study was that "many government entities have adopted paperless DRE systems without appearing to have critically questioned the security claims made by the vendors." DeBeauvoir wants to reassure Travis Co. voters that that doesn't apply here. Indeed, DeBeauvoir convened a diverse task force to help her analyze the vendors that sought Travis Co.'s business, a group including experts in computer security, programming, legal issues, and conducting elections.
Cross Your Fingers
The first task was to design theoretically the type of system that Travis Co. needed: "We knew we wanted certain things for our protection. We knew we wanted to have the exclusive control over the setting up of each ballot. ... We did not want the vendor to do that." They wanted to be able to produce a paper copy of each ballot (for later recall, not to be confused with Mercuri-style immediate printing), different kinds of audits, and equipment that couldn't be easily broken into, especially nothing that could be accessed with a keyboard. (Some other systems, including Diebold, are keyboard-accessible.)
"They also helped me design, for the second round, the series of questions that we would ask these vendors. And what they suggested and what we ultimately did was, [have the vendors] teach you how to do the system ... and then send them away. My people had to be responsible for being able to operate the system themselves. And I will tell you, we tried to break every system they gave us. I wanted to break into it, tamper with it, I wanted to see if I could do anything. We did lots of, sort of, call it dirty tricks. We tried to mess it up. Not all of our systems that we evaluated for purchase passed those tests. There were some gaps in security in a couple of the systems." DeBeauvoir didn't want to name the specific vendors for legal reasons, "but there were a couple of vendors we wouldn't consider buying." She says she reviewed all the DRE systems that have been certified in Texas, including the Hart eSlate, Diebold's AccuVote, ES&S's iVotronic, and Unilect's Patriot.
She also required that the systems allow her to do manual logic and accuracy testing. "Now that's outside the scope of law, but to me what that says is, you're not relying on the machine to check itself." Her election workers manually enter every bit of data for every ballot for each different precinct. "That's one of the things that the computer security person recommended to me that I do. And to tell you the truth, I kind of balked at it at first, because [I said], 'Ugh, do you know what it's going to take to do that? Are you crazy? These systems can check themselves.' But I'm glad he did it, because what we found was, it was a better way to confirm that every piece of equipment worked and that every ballot was correct."
None of the above means that Travis Co. voters can truly rest easy. While we may be using one of the best-designed DRE systems available, other jurisdictions in Texas and around the nation have chosen the bigger market leaders, either unconcerned by or unaware of security questions. It's easy to imagine a train wreck heading for us that will make election 2000 look like a speed bump. If we're lucky, it will vaporize like the Y2K scare. All DeBeauvoir can do is take care of Travis Co., and she says she's trying her best. She says some of the e-voting critics "can be antagonistic," and "I don't agree with all of the assumptions [they] make, but it's important to listen. If nothing else, if we end up doing nothing more than appeasing a worry that is a little dubious and perhaps way out there on the risk scale; if we end up taking steps that appease them and their concern, then all we've done is make more people more comfortable.
"I have to serve as an advocate for voters," DeBeauvoir says. "If we've got some people out there who are less than confident, then they've got every right to ask the question and get an answer, and if they're still not confident, then we keep that conversation going. It's not up to me to say, 'Oh that's just not a real problem,' or 'It's just silliness,' or 'You're not educated enough.' That's not my role. My role is to keep answering."
You can bet they'll keep asking.