http://itmanagement.earthweb.com/columns/executive_tech/article.php/3571926
By Brian Livingston
December 19, 2005
Two counties in Florida have terminated their use of Diebold
computerized voting equipment after computer experts showed that vote totals
could be changed by a single individual in a way that would be undetectable
later.
The county commission of Leon County, which includes
Tallahassee, voted on Dec. 13 to scrap its Diebold equipment and switch to a
different manufacturer, at an estimated cost of $1.3 million. Three days later,
the county council of Volusia County (Daytona Beach) approved a similar change.
The switch will cost that jurisdiction at least $2.5 million, county officials
said.
These actions, and the events that led up to them, can teach
us a great deal about our dependence on computer procedures that are developed
by flawed human beings.
It's not just elections, of course, that are affected by
programming errors and poorly understood code. Imagine your company purchasing
a large development project from an outside firm. If that firm overcharges you,
and you dispute the bill, can your mission-critical software be disabled at the
push of a button by its developers until you pay up? It's a good idea to ask
these questions before you invest your money in computerized solutions.
Testing the Vote-Counting Equipment
The revelations in the Florida counties were engineered by
Herbert Thompson, a computer science professor at the Florida Institute of
Technology, and Harri Hursti, a programmer who lives in Finland. They examined
optical-scan ballot counting equipment purchased by Leon County from Diebold Inc.,
a major maker of ATM and election equipment. The technicians were introduced to
county supervisor of elections Ion Sancho by BlackBoxVoting.org (BBV), a
nonprofit organization that critiques computerized voting.
Under Sancho's watchful eye, the computer experts ran the
following demonstration, according to a BBV report.
• Initializing the counter. A Diebold-specified memory card,
a device about the size of a credit card, was inserted into the optical-scan
counting machine to initialize it. As is the case before every election, a
"zero report" was run, showing that zero votes were recorded in each
race.
• Inserting the ballots. Sancho and others marked
optical-scan ballots by filling in circles on the printed cards. These forms
were then inserted into the counter, as voters normally do after marking their
ballots. The totals, counted by witnesses before the insertion, were Yes 2, No
6.
• Tabulating the vote. The totals tallied by the vote
counter, however, were Yes 7, No 1. In addition, the totals accepted from the
counter by the central tabulator, also made by Diebold, showed Yes 7, No 1. No
alerts had been sounded by either machine.
How was the count changed? Hursti had added data to the
memory card prior to its insertion. This subtracted votes from one position and
added them to the other. The same change could be made by almost any dishonest
election official, Hursti explained, without the need for any password or much
specialized knowledge. Yet the tampering "will not be detected in any normal
canvassing procedure," he said. A recount using the same memory card would
deliver the same results.
How the Winning Candidate "Rolls Over" the Loser
In a PDF report released in July 2005, Hursti said the
Diebold memory cards can hold "an executable program which acts on the
vote data." In a well-designed election system, by contrast, the vote
counting mechanism should contain only "the ballot design and the race
definitions." In other words, initializing a counting machine should
install only a list of the candidates and ballot measures to be tallied in each
race.
In his report, Hursti indicates that the vote-changing trick
can be accomplished using plain old integer math. The Diebold election machines
are designed to count each position's votes up to 65,535, which is 1 less than
a power of 2. When 1 more vote is counted, the tally "rolls over" to
0. The following vote brings the total to 1, and so forth.
The Diebold equipment, Hursti explains, can be secretly
initialized so that Candidate A starts with 65,511 votes -- which is the same
as minus 25 -- while Candidate B starts with +25. The "zero report"
would blithely show 0 votes for each candidate. After more than 25 votes have
been cast for Candidate A, there would be no indication that any tampering had
occurred.
Let's say the exact same number of voters happen to cast
ballots for each candidate. Congratulations, Candidate B -- you appear to have
won by 50 votes. Multiply this by thousands of precincts in a state, all using
identical memory cards, and you're talkin' real results.
Accomplishing the Trick in Actual Elections
Diebold, based in North Canton, Ohio, will not comment
specifically on the rejection of its equipment by Leon County. But the
manufacturer has sent a letter to county officials saying their testing was
"a very foolish and irresponsible act" and may have violated the
company's licensing agreements, according to a Dec. 15 Associated Press report.
In a development that may or may not be election-related,
long-time Diebold chairman and CEO Walden O'Dell resigned for "personal
reasons," effective immediately, according to a company press release
dated Dec. 12. In September, Diebold was forced to pay California a fine of
$2.6 million for installing uncertified software into the state's voting
machines. The company's stock plunged more than 15 percent.
Unfortunately for voters, the trick demonstrated on
Diebold's equipment by Hursti may very well have already been used in real
elections:
• Partisan access. Several election officials have access to
memory cards prior to elections. These officials tend not to be neutral.
They're usually high-level partisans in the Democratic or Republican Party. For
example, Diebold memory cards became an issue in Ohio after the 2004
Presidential election. Secretary of State Kenneth Blackwell ordered the cards
and other election records sealed from public inspection until after the
state's electors were sworn in, according to a Dayton Daily News article.
• Mysterious miscounts. In one incident that was widely
reported in Florida after the 2000 Presidential election, a Volusia County
precinct showed a final count of negative 16,000 votes for the Democratic candidate,
Al Gore. The error was resolved by making a hand count of the ballots. But Leon
County's Sancho now believes the "mistake" is evidence of a real
fraud attempt that failed only due to sloppiness. "Someone with access to
the vote center in Volusia County put it on a memory card and uploaded it into
the main system," the election supervisor told Orlando's WESH-TV News in
an interview.
• Impossible recounts. The recount in Volusia County was
possible because the actual voting records had been preserved. But that isn't
possible in a growing number of U.S. counties. In Florida, about half the
state's voters now use touch-screen equipment with no paper ballot and no
record of the votes other than a memory card, according to a Dec. 17 Miami
Herald article. In addition, the Florida Legislature passed election laws in
2001 eliminating recount requirements for touch-screens and not requiring a
paper audit trail, according to Law.com.
How Not to Write Code
Trustworthy vote counting is not a Republican or a Democratic
issue. It's essential to any free country. The sloppy code and ludicrous back
doors found in some computerized election equipment should be a wake-up call
for all Americans -- and an object lesson to businesses everywhere in how not
to outsource programming.
I wrote on April 5, 2005, that computer scientists had
determined that the reported 2004 election totals in some states, including
Ohio, were simply impossible to reconcile with scientifically valid exit polls
taken the same day. That article became the top story at Daily Kos, America's
most widely read political blog, and others.
Unfortunately, we're going to see a lot more stories like
this about election fraud, and it won't be good news. It's bad for democracy
and it brings shame on computer professionals who should be exposing these
shoddy systems, not programming them.
With everything I've learned in my life about computers, I
don't want any votes disappearing into a shiny metal box or an ephemeral memory
card. The only way an election can be fair is when tangible, paper ballots are
marked by hand by actual voters (with alternate provisions for disabled
voters). You can tabulate the votes using any machine you want, as long as the
paper ballots can be recounted as the final word.
Executive Tech Takes Off
The Executive Tech column will enjoy a holiday break later
this month, as will its readers, hopefully. The next installment will appear on
Jan. 3, 2006.
Copyright 2005 Jupitermedia Corporation All Rights Reserved.
FAIR USE NOTICE
This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of political, democracy, scientific, and social justice issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.