Johns Hopkins Magazine
Johns Hopkins Magazine Current Issue Past Issues Search Get In Touch
  E-lective Alarm

The technical director of Hopkins' Information Security Institute warns in a new report that computerized voting is critically flawed. But proponents are downplaying the risk.

By Dale Keiger
Illustration by Scott Roberts
Photos by John Davis

 
Computer security analysis ordinarily does not leave Aviel Rubin breathless. It is, after all, simply his job as technical director of Hopkins' Information Security Institute. But last July, when he followed a link on an Internet Web site, what he found caused a deep inhalation. Rubin was co-author of a just-completed, not-yet-published analysis of some computer code. The code, he believed, operated a machine called the AccuVote-TS, an electronic, touch-screen voting terminal manufactured by Diebold Election Systems. The AccuVote has been adopted for use in 38 states. Rubin's analysis of its code, completed with the help of three colleagues, had revealed software that was, in their professional judgment, so deficient in security it could be compromised by a bright teenager intent on hacking an election.

Rubin had gone to Diebold's Web site hoping to find a picture of an AccuVote. His deep breath came when he found a press release that announced that Maryland, which had already used 5,000 Diebold AccuVotes in four counties, would be buying 11,000 more for its next election. Eleven thousand machines that, in Rubin's opinion, could not be trusted.

The computer scientists at Hopkins and Rice had not yet submitted their report, "Analysis of an Electronic Voting System," to a technical journal. They awaited responses from other security experts around the country who had received the report for an informal peer review. But the Diebold press release filled Rubin with new urgency. Two days later, after receiving mostly positive reviews of the report from his peers, Rubin gave it to John Schwartz, a technology reporter at The New York Times, and to CNN.

Within hours Rubin was in a CNN studio and reporters from most major American newspapers had dialed his phone number. The report, authored by Rubin; Adam Stubblefield, a Hopkins doctoral candidate in computer science; Tadayoshi Kohno, a graduate student spending the summer working with Rubin; and Dan S. Wallach, assistant professor of computer science at Rice, was technical but not dauntingly so. Anyone could understand the final sentence of the introduction: "We conclude that, as a society, we must carefully consider the risks inherent in electronic voting, as it places our very democracy at risk."

More than six months later, not a day goes by that Avi Rubin does not field another reporter's query about electronic voting. Author or co-author of four books on computer security, Rubin is 36 years old, a compact, dark-haired man who has the scientist's habit of beginning explanations with the word "so": "So, any typesafe language is immune to buffer overflow. ... He holds three degrees from the University of Michigan and retains a fervent interest in Wolverine sports. He also has a passion for pocket billiards. A pool table takes up much of his living room, though it hasn't gotten much use since Rubin became the nemesis of Diebold Election Systems. "This thing has been dominating my life," he says.

Blame it on Chad. You remember Chad. In Florida, late in the year 2000, Chad was dimpled, hanging, even pregnant. The 2000 presidential election between Al Gore and George W. Bush came down to a recount of votes in a handful of Florida counties, and the public learned the importance of the little holes — chads — made in a paper ballot by a punch-card voting machine. The election ultimately was decided by the U.S. Supreme Court, to the dissatisfaction of millions.

Technology has been part of American elections since before the Declaration of Independence. Paper ballots replaced show-of-hands votes for the first time in 1770. Voters in Lockport, New York, were the first to use a lever-operated voting machine, in 1892, and punch-card systems first appeared in voting booths in 1964. After the 2000 debacle, Congress decided the next ballot innovation should be digital technology. In October 2002, George W. Bush signed into law the Help Americans Vote Act, HAVA, which appropriated $3.9 billion over a period of years for states to upgrade election systems. In Maryland, state law enacted in 1999 mandated maximum use of technology in elections administration.

"You have to be a competent programmer, but this is not out of the reach of a geeky high-schooler," says Adam Stubblefield. Voting-machine companies began vying for pieces of this federal largess, each promising that touch-screens and electronic tallies would result in clean, fair elections free of disputes and restore faith in the nation's electoral system. But as soon as public officials began to talk up computerized voting, computer scientists began to say, Not so fast. They pointed out that electronic voting machines usually did not print a verifiable paper ballot, and the computer code that ran them was proprietary, therefore not subject to public scrutiny. Computer security is a complex problem, and experts were skeptical that Diebold or any other manufacturer had taken sufficient measures to ensure that digital election technology could not be hacked by vandals, or worse, by someone seeking to subvert the vote. Notes computer scientist Barbara Simons, who is founder and co-chair of the U.S. public policy committee of the Association for Computing Machinery, "Election officials are under a lot of pressure [after the 2000 problems] to go out and buy machines while there is money available to do so. Vendors are rushing things into the market that should not be on the market because they're inadequate. A lot of the election officials buying these machines don't have the technological savvy to even know what questions they should ask."

One skeptic was not a computer scientist but a publicist in Renton, Washington, named Bev Harris, who in her spare time had been researching electronic voting for a book she was writing. On January 23, 2003, Harris sat down to search the Internet for computer technicians who might provide technical documentation for various electronic voting terminals. In 2001, Diebold had bought a company called Global Election Systems, and Harris had turned up e-mail addresses for technicians at gesn.com. So she typed "gesn" into Google, the Internet search engine, and began scrolling through page after page of results. On about the 15th page, she found a link that took her to a new page, "Welcome to [the] Global Election System Network." Harris kept clicking links there until she clicked one called "FTP," where she says she found "directories and directories full of stuff."

Harris had stumbled upon an electronic archive. Employees of Diebold, a company that boasts about its security systems, had done something breathtakingly dumb: Posted on a public Web site thousands of unsecured internal company files, the equivalent of putting the files in an unsealed envelope and tacking it to a corkboard in the town square. Anyone in the world could download them, and after Harris found a file that aroused her suspicion that Diebold had put uncertified code into voting machines in Georgia, that's what she did, for 40 hours. The data filled seven CDs.

Harris first published word of the files in February 2003, on a muckraking Web site based in New Zealand called Scoop. Various parties who knew more about computer code than she did began examining the files. In early March, one of them advised her that a file called "cvs.tar" looked like source code. On June 15, Harris published the link to "cvs.tar" on the Web site of an organization called Democratic Underground and asked if anyone knew what it might be. She soon heard from people who confirmed that it was Diebold source code.

After Scoop linked to the data files, word spread that for the first time, voting-machine code was available for scrutiny. A leading skeptic of electronic voting, a computer scientist at Stanford named David J. Dill, knew the import of what Harris had discovered. He also knew Avi Rubin, whom he phoned with the news. Rubin in turn called Stubblefield and Kohno and said, "Stop by my office, I've got something I want to share with you. I think it's a drop-everything kind of project." Rubin also heard from Dan Wallach at Rice and enlisted his help.

Stubblefield and Kohno began crawling over more than 49,000 lines of code. Rubin recalls, "I think within an hour they were back, saying, 'You won't believe how bad this is.'"

One of the first things they had noticed was a single line:

#define DESKEY ((des_key*) "F2654hd4"

It was from a section of the code that told the terminal how to secure, through encryption, the count of the day's vote on that machine. The code used an encryption protocol called DES, and "F2654hd4," to the astonishment of Stubblefield and Kohno, was the key to the encryption — the combination to the lock on the vault, so to speak. The two graduate students knew that if the DES encryption key had been written into a line of the machine's code, the key had to be the same on every Diebold terminal. Says Stubblefield, "That's the canonical example of how not to do [security]. It's as if there were one password for all the computers at Hopkins."
Avi Rubin unleashed a firestorm when he announced that computer-voting technology was not secure. And things got worse from there. Rubin and his colleagues were careful to examine only code that had not been concealed behind a password, to avoid possible violation of digital copyright law. What they found, Rubin says, was software vulnerable from several attack points. For example, the Diebold AccuVote uses smartcards. When voters check in at the polling station, each one receives a card to slide into the voting terminal. The card tells the machine that someone wants to vote. The machine displays the proper ballot on its screen. When the voter is done, the machine stores his vote and invalidates the card, to prevent multiple voting.

The smartcard is one of the system's safeguards against people stuffing the electronic ballot box. But the measures used to secure communication between card and terminal were weak, Rubin's team observed, and Diebold's smartcards did not employ cryptography. This makes it simple to reproduce illicit cards. Programmable blank cards can be bought on the Internet — $27 buys 10 from CardLogix.com — and a card reader to strip information from a smartcard and program a counterfeit may be obtained from a firm named Axalto for $49. Using these tools, how hard would it be for someone to make cards that would allow anyone to vote 20 or 30 times on an AccuVote terminal? Says Stubblefield, "You have to be a competent programmer, but this is not out of the reach of a geeky high-schooler."

In the AccuVote software examined by the analysts, the ballot definition, which tells the terminal to display the proper listing of candidates for each office, was not protected and could be modified by anyone who gained access to the data file. Before being recorded on a storage device, the vote records in each machine were encrypted, as already noted, but by an outmoded encryption method (DES) that's been proven to be crackable.

The analysts at Hopkins also noted that the Diebold code was written in a popular programming language known as C++. Though a fine language for many applications, C++ is not what programmers call "typesafe." The distinction involves a detailed technical explanation, but the important point is that anything written in C++ — as opposed to a typesafe alternative like Java or C# — is vulnerable to various popular modes of attack by hackers. Says Rubin, "Over 70 percent of the attacks that we know of have been [against] unsafe languages [like C++]."

When programmers write software, they annotate their work. A typical printout of programming code includes line after line of instructions for the computer, plus a running commentary that alerts other programmers to why sections of the code were written as they were, what sections of the code do, when various lines were altered and why, and various bug fixes. If the software has been written by several programmers, which is often the case, these notes usually are extensive. Rubin found a striking lack of annotation in the Diebold code. "There were pages and pages of complicated code without any comments. There was no way anyone who wrote that code could look at it a week later and [immediately] know what the hell it was." He adds, "I don't think anyone who was involved in the writing of this code had any notion of good software practices or any understanding of security whatsoever."

Diebold estimates that the U.S. market for electronic voting machines may be worth $2 billion. So the company has not been pleased by the assertions of the Rubin report and months of bad publicity. Six days after Rubin's analysis hit the news, Diebold issued a 27-page point-by-point rebuttal. The company has maintained adamantly that its machines are secure and reliable, and that an adequately supervised election could not be subverted.

Mark Radke, director of marketing for Diebold Election Systems, dismisses Rubin's analysis as biased, inadequate, and ill-informed. He says, "It is unfortunate that [Rubin] was able to broadcast his personal views in such a study direct to the media without the customary peer-group review, a review which is usually completed by an unbiased group of university researchers."

Because the Rubin study was not published by a refereed journal, it wasn't subject to the customary review by a journal's expert panel. But it was vetted by more than a half-dozen computer scientists before Rubin released it to the media. Nevertheless, Diebold has consistently attacked the study. The first problem, Radke claims, is that Rubin's team analyzed the wrong software. Since Bev Harris first found the Diebold code, there has been uncertainty as to whether it matches the code now used by the AccuVote terminals. Diebold's written rebuttal called the Rubin study "an incomplete snapshot of source code in the process of development." It continued: "Software examined ... was an older version," and "[the] issue has since been resolved in subsequent versions of the software."

Hopkins' Stubblefield replies, "This is a large amount of code, more than 49,000 lines. We have time-stamps in the code up to the middle of 2002. A version of their machine was used in the [November] 2002 elections. It would be very difficult for them to create an entirely new machine in less than half a year." Bev Harris has noted that version numbers found in the downloaded code closely relate to the version number of the code certified for use by the National Association of State Election Directors, indicating that the actual operational code may differ from the code analyzed by Rubin, but probably to an insignificant degree. And last August 4, Wired News reported that "[Diebold spokesman Michael] Jacobson confirmed that the source code Rubin's team examined was last used in November 2002 general elections in Georgia, Maryland, and counties in California and Kansas."

Says Rubin, "I personally do not believe for one minute that this was not the code running on the machines the day our paper came out. I believe that if you got hold of one of those machines today and cracked it open, the code would be bit-for-bit the code that we got."

Companies have protocols to handle discrepancies. But, says Rebecca Mercuri, "those protocols happen to stink." Diebold and other critics of the Rubin report — who include former Maryland Secretary of State John T. Willis (who called the analysis "technological hysteria"); current Georgia Secretary of State Cathy Cox; Doug Lewis, executive director of the non-profit Election Center (he described the report as "unscientific and unacademic"); and Brit Williams, vice chairman of the Institute of Electrical and Electronics Engineers (IEEE) voting standards committee and the primary expert who certified the AccuVote for use in Maryland — consistently have faulted it for not considering election security in the full context of election procedures. For example, regarding the vulnerability of the system to electronic ballot stuffing through counterfeit smartcards: Diebold replied that at the end of the day, roster reconciliation would match voter signatures to the number of votes cast, catching any discrepancy and launching an investigation. But if election officials find a discrepancy, they have no way of sifting legitimate votes from illegitimate votes. What does the board of elections do then? Invite everyone back for a do-over? Rebecca Mercuri, a computer scientist at Bryn Mawr College who has spent years working on election security issues (and who is a critic of some aspects of the Rubin report), notes, "What these companies always say is, 'We have protocols in place that will handle [discrepancies].' But those protocols happen to stink. They're not going to say that, but that's the case."

The Rubin team found code for networking, so it analyzed the insecurity of transmitting election data over the Internet or by other means. Critics have repeatedly cited this analysis as an example of uninformed criticism: Rubin, they say, should have known that election data will not be transmitted. Instead, says Linda Lamone, Maryland's state administrator of elections, election results will be stored on removable memory cards in each voting terminal, backed up by dynamic data files stored on a chip that stays in the machine. At the conclusion of the election, each card will be collected and delivered by hand to election headquarters. Until then, the cards, says Radke of Diebold, are protected in the machines by lock and key.

But last October a reporter for Wired magazine, Kim Zetter, attended a training session for poll workers using Diebold machines in Alameda County, California, and discovered that pre-election security was laughable. Officials left the county's Diebold voting machines unattended at polling stations for days before the election, locked to trolleys with simple bicycle locks. Every lock had been set to the same combination, 1111, and the same number was used for the security key of every administrator smartcard to be used in the election. Every supervisor knew the code days before, and none had been subjected to background checks. The memory cards on which election results would be stored had already been loaded into the machines. The cards were inside locked compartments, but the same key opened every machine, and supervisors had possession of the keys the weekend before the vote took place. The carrying cases for the voting terminal had been sealed with tamper-resistant ties, but those could be bought on the Internet, allowing anyone who broke into the cases to replace them.

Adam Stubblefield (left, with Rubin) helped analyze more than 49,000 lines of Diebold's computer code. Furthermore, it is not quite accurate, apparently, to state that no transmission of election results will take place. Lamone, responding to fact-checking by Hopkins Magazine, said in an e-mail: "Unofficial election-night results can be transmitted from the precincts to the county central counting center via dedicated telephone lines using encryption. Those unofficial results are then verified against the memory cards."

Stubblefield asserts that even if election officials deliver the cards by hand, the results will not be secure from tampering. Memory cards are small, he notes, and anyone with a card reader (which also is small — waiters in restaurants can use them to steal credit-card information and commit identity theft) would need only seconds to pop the memory card into the reader and rewrite the results before sealing the card in its official elections carrying pouch. "This isn't like carrying a big stack of papers to stuff a ballot box," says Stubblefield.

In the aftermath of the widespread publicity generated by the Rubin report, Maryland governor Robert L. Ehrlich Jr. delayed Maryland's purchase of AccuVotes and ordered an independent risk assessment of the AccuVote system by Science Applications International Corporation, a research and engineering company. Last September, SAIC completed its report, and on September 24 Maryland released it, sort of: Roughly 140 of the report's 200 pages had been redacted, excised from public view. For example, all of Section 5 has been redacted, the section that, according to the report's summary, "provides the risk assessment findings, including a discussion of [state board of elections] security requirements, threats to the implementation of the AccuVote-TS, likelihood of exploitation of the threat, vulnerabilities, and mitigation strategies." Lamone says, "Portions were redacted on advice from legal counsel and security people. Portions [of the report] were so sensitive to the process of conducting elections it would do more harm than good to release it [in full]."

The third of the report that was released states: "The system ... is at high risk of compromise." It confirms many of Rubin's technical findings, though it dismisses many of his concerns as "not relevant to ... Maryland's implementation of the AccuVote-TS system." SAIC cites problems in other Diebold software that Rubin had not been able to inspect and lists numerous security weaknesses. Radke, Diebold's marketing director, says, "The vast majority of issues in that report had to do with procedural issues and had nothing to do with performance of our equipment."

Right after the SAIC report was released, Ehrlich authorized the Maryland Board of Elections to proceed with purchase of the Diebold machines. The governor's decision baffles Rubin. "I can't help but wonder how the state of Maryland could possibly go ahead with this."

Diebold's public relations effort gained some ground last August when Rubin voluntarily disclosed that he was an adviser to VoteHere Inc., which markets a product called RemoteVote that Radke describes as a competitor to Diebold's technology. (Attorneys for Hopkins have concluded that Diebold and VoteHere are not competitors.) The press, and Diebold, hopped on the story, charging Rubin with conflict of interest that compromised the integrity of his report. Says Radke, "I would say it's analogous to someone within General Motors writing a review of an automobile introduced by Ford."

Rubin says he'd been asked to serve on a VoteHere advisory board back in 2000, that he'd insisted on a clause in the advisory contract explicitly stating he did not endorse VoteHere's products, and that he'd never heard from the company in the intervening three years and so had forgotten the affiliation. When he realized last August that he was still listed on the VoteHere Web site as one of the company's advisers, he resigned, gave back the stock options he'd been given, and issued a statement disclosing his connection to the company.

Regardless of the mileage gained by Diebold after the VoteHere disclosure, the last year has not been kind to the electronic voting machine industry. In mid-2003, someone hacked a Diebold computer system and filched a 1.8-gigabyte trove of internal company e-mail that was soon posted to the Internet for all to read. Various messages from that trove refer to the ease with which election audit logs (the record of how each election is conducted) can be rewritten, and how Diebold software called GEMS (the data management system that assembles the vote tallies) could be accessed and rewritten using off-the-shelf Microsoft Access software. In November 2003, California suspended certification of Diebold machines and ordered an audit of its voting systems because of suspicion that Diebold used uncertified software in at least two counties in the gubernatorial recall election. In that same month, an electronic system in Boone County, Indiana, recorded 144,000 votes cast in a precinct of fewer than 19,000 registered voters. A candidate for a school board in Fairfax County, Virginia, lost a close election and challenged the results. Tests of the computer voting terminals used in the election revealed that the machines periodically subtracted votes cast for her. The problems in Indiana and Virginia did not involve Diebold technology but did nothing to increase public confidence in electronic voting. In December, J. Kenneth Blackwell, secretary of state in Ohio, where Diebold is based, released two examinations of electronic voting systems that had been ordered by his office. The studies looked at systems from four different vendors and cited Diebold for the largest number of serious security risks. Blackwell said, "I will not place these voting devices before Ohio's voters until identified risks are corrected and system security is bolstered."

"There are more checks and balances on ATMs than on voting machines," says Barbara Simons, "which is pretty appalling." Critics of the Rubin report argue that all these computer scientists are mere alarmists, Chicken Littles who find a flaw in a line of computer code and squawk that the sky is falling on democracy. They ask, Can anyone guarantee a 100-percent tamper-proof election? Then they answer, Of course not, which means electronic voting should not be rejected just because some fretful scientist conjures imaginative scenarios of hackers fanning out across America with stacks of counterfeit smartcards in their jeans pockets.

To which Avi Rubin replies, "I don't think it's an excuse for building an insecure voting machine. Diebold's code was so bad that anyone taking a four-month course in computer security would have written it differently." Douglas W. Jones, an associate professor of computer science at the University of Iowa, has worked on electronic voting security for a decade. He says, "It's burying your head in the sand to believe that we don't have large numbers of people who have the right sort of technical command [to rig an election]. Technical skills are not that rare in the United States. We are a nation of back-yard tinkerers."

If states insist on using touch-screen computer systems, he and other security experts argue, they should require those systems to at least print a paper ballot that each voter could verify as accurate before placing in a secure box for safekeeping, for later use should officials need to conduct an audit or recount of the election. Says Barbara Simons, "There's no way for me to know, if I vote on a Diebold machine, whether or not my vote was counted. There are more checks and balances on ATMs than on voting machines, which is pretty appalling when you think about it.

Lamone acknowledges that Maryland is considering adding printers to the Diebold touch-screen system. "[But] we have 16,008 voting units. We'd have to have 16,008 printers capable of being turned on at 7 in the morning and running all day until polls close at 8 p.m. That's a pretty robust printer. What happens when a printer jams? The voter is going to turn to the poll worker and say, 'Can you help me unjam this printer?' And what is the poll worker looking at? The voter's ballot, on the printer and probably on the touch-screen monitor." So much for a secret ballot, Lamone says. "The voter is going to go ballistic."

She sounds weary as she discusses the controversy. "It would really be helpful if there were a voice of reason in the press coverage. The coverage so far has been very negative, attacking the integrity of thousands of elections officials across the country. These people really care. Fair and secure elections are their lives."

Months after publication of his analysis of the Diebold code, Rubin was still fielding calls from journalists. (And he was named one of Baltimore magazine's "Baltimoreans of the Year.") Nothing subsequent to his report had changed his mind about computer voting's lack of security. And pressure continued to mount against purely electronic elections. Democrats in the Maryland Statehouse requested yet another independent audit of the state's proposed system. U.S. Rep. Rush Holt (D-NJ) and Sen. Hilary Clinton (D-NY) each proposed federal legislation that would require any electronic election system to produce a paper audit trail. Columnist Paul Krugman, on the op-ed page of The New York Times, wrote, "Leaked internal Diebold e-mail suggests that corporate officials knew their system was flawed, and circumvented tests that would have revealed these problems. ...Why isn't this front-page news?"

On November 18, the Baltimore Sun declared its position on its editorial page: "Maryland should heed computer scientists' warnings and cancel its $55.6 million purchase of touch-screen voting machines." The editorial went on to criticize companies like Diebold for refusing to allow scrutiny of their computer code and called the numerous redactions in the state's release of the SAIC audit "unconscionable." The editorial concluded, "Voting is not a computer game; it is a cornerstone of our democracy."

Dale Keiger is a senior writer for Johns Hopkins Magazine.

Return to February 2004 Table of Contents

  The Johns Hopkins Magazine | 901 S. Bond St. | Suite 540 | Baltimore, MD 21231
Phone 443-287-9900 | Fax 443-287-9898 | E-mail [email protected]