How much can state trust electronic voting?

Tuesday's primary is 1st in Maryland to be held entirely on computers

September 10, 2006|By Melissa Harris | Melissa Harris,SUN REPORTER

This Tuesday, for the first time, every voter in Maryland will cast a ballot on a voting system that is entirely electronic. Apart from the important public offices being filled, the stakes are substantial.

Since the controversial outcome of the 2000 presidential election, when the state of Florida laid bare the need to discard outdated voting systems - especially punch-card ballots - more and more states have turned to computers with mixed results.

Voters love their ATM-like ease, but every now and then, they're reminded that the voting machines are just as susceptible to unintended corruption as their home computers.

For instance, during the 2004 presidential election, one machine in a Columbus, Ohio, suburb tallied almost 3,900 more votes for President Bush than he received. The glitch was easily caught because only 638 voters cast presidential ballots at that precinct on election day. Another malfunction wiped out nearly 4,500 votes in local races in Carteret County, N.C.

Some computer scientists argue that the machines are vulnerable to more than isolated and unintentional glitches. More damage could be done, they say, if expert hackers are able to alter the machines' computer code.

A Maryland election official's worst nightmare might play out like this: A low-level worker responsible for the final security check on dozens of voting machines in Baltimore is paid $100,000 by a rogue political operative to insert malicious memory cards in them.

When the machines are activated on election day, these cards erase the voting program on the machine and replace it with one identical in every way except one: Every fifth vote for Candidate X is switched to Candidate Y.

Just how successful such fraud might be in Maryland has long been the subject of lively debate.

Since Congress mandated voting system upgrades when it passed the Help America Vote Act of 2002, two very antagonistic schools of thought have developed on the security of the state's Diebold electronic voting machines: Those who think the threat of such an attack is real and those who think such criticism is absurd.

"Computer science guys are able to get away with what I consider to be shameless scare tactics that don't take into account everything else that goes on in an election," said Donald F. Norris, director of the National Center for the Study of Elections at the University of Maryland, Baltimore County.

By everything else, Norris means locks and tamper tape on the machines; accuracy tests before and during the election; and the thousands of poll workers monitoring voters on Election Day.

And his criticism of fear-mongering among scientists is aimed at Aviel Rubin, the author of one of the first reports exposing flaws in the computer code that drives Maryland's electronic voting machines.

The Johns Hopkins University computer scientist's new book, Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting, focuses mostly on the public relations and political fallout from his work. It often paints a less-than-flattering portrait of all of the egos and spin involved, including, at times, his own.

But the book also reveals how horrifyingly easy it was for Rubin to find not only the code that runs the machines, but two critical passwords used to protect them. (An anti-electronic voting activist had found the code unprotected on the manufacturer's computer server - with the passwords imbedded in it - and published it on the Internet.)

Rubin and graduate students at Hopkins and Rice University were among the first to take a look. They found outdated encryption and programming methods, one of which had fallen into disuse in the late 1970s. And the passwords and encryption keys on all of the machines were identical, a fact that Rubin compared to having one key capable of opening every house on a block.

Six months after Rubin released his first study, the state of Maryland hired a group of computer experts at RABA Technologies in Columbia to stage an attack on the system before the March 2004 primary. This time around, the so-called "Red Team" would take into account all of the security surrounding the machines.

What they found was that an attack would be difficult, but not impossible.

To participate in the age-old tradition of vote buying, the thief would need either to be a computer expert or to hire one. The hacker would then need to figure out the password to voters' "smart cards."

Smart cards are the size of ATM cards. But unlike ATM cards, they have a small bronze-colored computer chip imbedded in the center of them, rather than a black stripe on the back. When a voter inserts that card into the voting machine, a pre-programmed ballot appears on the screen.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.