Among the many things I was anticipating about my relocation to Los Angeles was the thrill of once again having a voting representative in Congress. Washington, DC, is neither fish nor fowl when it comes to the US Constitution: it's not a city within a state, nor is it a standalone state. It's just The Nation's Capitol. You'd think that would count for something, but not when it comes to Congress. Sure, there's a non-voting representative (Eleanor Holmes Norton), but residents of DC proper technically have no voice on Capitol Hill. Taxation without representation, anyone?
But now I am a resident of the fine state of California, disenfranchised no more. Or so I thought. Perhaps you noticed the news, late last Friday, announcing the release of a report testing the electronic voting machines certified for use in California elections. (h/t: Angela Gunn at TechSpace) Secretary of State Debra Bowen gave a group of University of California computer scientists the task of testing the machines of four major companies over five weeks to see if it were possible to hack into the systems or otherwise sabotage the machines. The results are depressing as hell: every single machine proved vulnerable to hacking, in some cases in ways that could alter the recording, reporting and tallying of votes. All of them. In the end, the UC scientists identified 15 different security flaws.
Well, actually, only three technically failed the test: those provided by Diebold, Hart Interactive and Sequoia. Election Systems and Software (ES&S) didn't send its InkaVote Plus systems in time for the testing -- despite the fact that its failure to do so violated the conditions of its state certification. Guess which company's machines are used by Los Angeles County? ES&S. Eventually they grudgingly sent over a few pieces of equipment, but no certified version of the source code or much of anything else needed to perform an adequate security test. Back in June, Bowen's office not only sent a tersely worded letter upbraiding the company for its lack of compliance, it issued a public press release letting everyone else know, too. Somehow we missed it. Needless to say, Bowen was pissed: "I'm not going to stand by and watch ES&S ignore the State of California, and in particular, the voters of Los Angeles County, by refusing to abide by the certification conditions," she says in the press release, accusing the company of "clearly trying to undermine the review." You go, girl!
The ES&S machines will, apparently, be "evaluated at a later date." Hopefully before local elections next February. As if that prospect weren't depressing enough, Nicole Belle at Crooks and Liars alerted me yesterday to an item in The New Yorker about a new stealth move by some Republican lawyer in Sacramento who filed a ballot initiative to end the practice of granting all 55 of California's electoral votes to the statewide winner -- you know, like they do in every other sizable US state. Under the new initiative, only two electoral votes would go to the statewide winner; the rest would be determined, individually, by whoever won each district. Would that be enough to "steal" an election in a predominantly Democratic state? Tough to say. But The New Yorker piece points out that in 2004 George Bush carried 22 of the 55 districts. In a close presidential election, it could make a very big difference. Just ask Al Gore. I'm beginning to get that sinking feeling of disenfranchisement again. Enough with this outdated electoral college already!
The companies, of course, are crying foul and claiming the study was flawed and isn't a fair assessment. (Angela Gunn ain't having none of it: "Call the waaahmbulance!") Sequoia issued its own press release, in fact, insisting that "none of the threats outlined represent a realistic threat if the normal procedural mitigations are in effect." It is true that the report did not assess how difficult or plausible each hacking scenario might be. It's also true that most of the attacks could probably be prevented by improving physical security around the machines, among other actions. Nor was the study everything the UC scientists would have wanted it to be: they would have liked more time to conduct the tests, and better access to all the codes and other information. ES&S was only the most egregious in this respect.
There's been a risk of cheating and fraud in the historical election cycle ever since mankind invented voting. (Crooks and Liars also pointed me to an online video, "Hacking Democracy," that some readers might find of interest.) The machines have evolved along with the process, although their use varies from state to state, and sometimes even among districts. In the beginning there weren't really machines. Colonial Americans cast their votes by placing balls, coins, bullets or beans (hey, you work with what you have) into a container, and the "votes" were then tallied. Sometimes they relied on voice votes, in which the voter simply stated the name of his candidate; smaller communities relied on this method all the way through the Civil War. if nothing else, it made it more difficult to cheat, but voter anonymity (and the associated protection from pressure or reprisals) was pretty much nonexistent.
Around 1800, someone hit on the notion of a paper ballot, later supplemented with the familiar ballot box. Such a system was first used in the Australian state of Victoria in 1856; New York became the first US state to adopt the paper ballot in state-wide elections, beginning in 1889. (Today, there are also punch-card systems that can either be counted manually or fed into a vote-tallying device.) Thomas Edison, fresh from a stint as a telegraph operator and intent on becoming a famous inventor, created the first electric voting machine in 1869, but it was never used, to his great disappointment. He was a little ahead of his time: nobody perceived a need for it, when paper ballots worked just fine. By 1892, that had changed: Jacob H. Myer's mechanical voting device -- quite similar in design to Edison's -- was adopted by the city of Lockport, New York, and became the first such machine to be used in a US election. By 1930, the machines were everywhere.
Typically, each lever in an array in a standard mechanical voting machine is connected to a specific candidate, and you just pull down the lever of choice to cast your vote. The levers are connected to counter wheels to keep track of the number of votes cast for each candidate. Then there's the optical scanning systems, familiar to anyone who's taken a standardized test: you fill in little ovals with a #2 pencil to indicate your choice, and these are fed into a computer-tabulating machine that selects the darkest mark to count as a vote. And finally we have the direct recording electronic (DRE) systems manufactured by Diebold, Hart, Sequoia and ES&S, among other companies. It's the same concept as the mechanical lever system, replacing the mechanics with a computer touch-screen (votes are stored electronically until they're ready to be tabulated), much like an ATM machine -- except not all of them issue a paper receipt. Aye, there's the rub.
None of this should come as a surprise to anyone who's been following the saga -- computer security experts have been issuing warnings about the vulnerabilities for years, and a Stanford professor named David Dill got so frustrated, he created a petition calling for voter verified audit trails for voting systems. It wasn't even a surprise to me, mostly due to a chance meeting a few years ago, at one of the annual Industrial Physics Forums. I headed back to the hotel early, and found myself alone on the bus, save for one other person: Barbara Simons, formerly a scientist with IBM Research and at the time, chair of the Association for Computing Machinery's Committee on Voting. She'd given a talk earlier that day on the technological problems with electronic voting machines and the potential for hacking and, by inference, voter fraud.
For the next 20 minutes, Simons told me all about the problems with the machines. And I talked her into writing a Back Page Op-Ed for APS News, called "Why Jonny Can't Vote." It didn't garner anywhere near the indignant outrage or even passionate debate for which I'd hoped. But I never forgot what I'd learned from chatting with her, and have been distrustful of electronic voting machines ever since. (The last time I voted, they gave me the option of a using a paper ballot. I took that option, hanging chads be damned.) The problem is that the voting machine software is proprietary -- understandable, these are commercial companies, after all, but ultimately the rights of the voters should hold sway -- plus the certification process is secret (and often inadequate), and the test results are secret. All this secrecy might be great for the manufacturer, but it spells trouble for US voters. Says Simons, "Because there is no way to conduct a meaningful recount for paperless voting machines, it is impossible to verify that the reported results are correct. This is not a healthy situation for a democracy."
One of the many excellent points Simons made in her Op-Ed for APS News was about Diebold, which she dubbed the "poster child of all that is wrong with DREs." You might recall the ruckus in August 2003, when Diebold CEO Walden O'Dell -- a staunch Republican -- vowed to deliver Ohio's electoral votes to President Bush in the 2004 election. It sounded a bit ominous, coming from someone whose company manufactures the actual machines that tally votes. But Simons insisted that Diebold's biggest problems were technological, not political. There was a bizarre security breach in February 2003, when the company's voting machine software was found floating around on an open FTP Website. A group of computer scientists analyzed those programs and even published the so-called "Hopkins Paper" detailing its security problems, the most critical of which was a sloppy, almost cavalier approach to the all-important DES key.
Diebold had already been warned once about that vulnerability in 1997, by the Iowa Board of Examiners for Voting Machines and Electronic Voting Equipment. The Hopkins Paper warned them again. So it's a bit chilling to read that this latest UC study found that the Diebold AccuVote-TSX system used, by default, a "well-known static security key." Any district that used the default setting -- and c'mon, you know there's bound to be loads that would do so -- would have machines extremely vulnerable to hacking. Knowing that key gives the user access to the machine's source code, after all. Alas, while the problems with the machines are well known, and well documented, in the computer science community, for some reason that awareness has yet to trickle down to policy makers and the public at large. It's not that I want people to automatically fear new technologies -- I love new technology, for the most part, being the geek I am -- but would a bit of reality-based concern be amiss, when our democratic rights are at stake? Simons concludes:
"Election officials were told that DREs in the long run wold be cheaper than alternative voting machines. They were told that DREs had been extensively tested and that the certification process guaranteed that the machines were reliable and secure. No mention was made of the significant costs of testing and of secure storage of DREs. No mention was made of the inadequacy of the testing and certification processes, to say nothing of the difficulty of creating bug-free software. Technologists are attempting to educate election officials, policy makers, and the public about the risks of paperless DREs. It is critical for the continued existence of democracy throughout the world that we succeed."
I'd encourage people to check out Simons' entire article, even though it's from 2005, and related links in the footnotes. It's still relevant. The upshot is, we got trouble, right here in Los Angeles County -- and probably in the rest of the country, too, unless Capitol Hill does the responsible thing and bans the use of electronic voting machines that don't leave paper trails. There will be hearings -- you can count on it. In fact, there's apparently some piece of legislation floating around the House of Representatives to that effect, co-sponsored by Sen. Dianne Feinstein (D-Calif), aimed at scrapping paperless machines by 2012, although it's unlikely to be passed before Congress leaves for vacation.
The bad news is, the UC scientists were also able to manipulate paper receipts produced by both Diebold and Hart machines, so a paper trail might not entirely solve the problem, either. Still, we use banking ATMs all the time and those things are pretty darned secure (although I always keep my receipt until I verify it against my bank statement, just in case). We should be treating electronic voting machines with the same scrupulous attention to detail heaped upon the vast ATM system. Anyone who doubts what's at stake need only look at the last seven years.
REMINDER: We are now accepting nominations and submissions for the next Philosophia Naturalis blog carnival on August 16, which will be hosted here at Cocktail Party Physics. Read any good posts about physics lately? Written one of your own? Simply send the link to Jen-Luc Piquant at [email protected]