Friday, October 17, 2003

All the President's Votes?

(reprinted from Independent.co.uk, Oct. 14, 2203)
by Andrew Gumbel

Something very odd happened in the mid-term elections in Georgia last
November. On the eve of the vote, opinion polls showed Roy Barnes, the
incumbent Democratic governor, leading by between nine and 11 points.
In a somewhat closer, keenly watched Senate race, polls indicated that
Max Cleland, the popular Democrat up for re-election, was ahead by two
to five points against his Republican challenger, Saxby Chambliss.

Those figures were more or less what political experts would have
expected in state with a long tradition of electing Democrats to
statewide office. But then the results came in, and all of Georgia
appeared to have been turned upside down. Barnes lost the governorship
to the Republican, Sonny Perdue, 46 per cent to 51 per cent, a swing of
as much as 16 percentage points from the last opinion polls. Cleland
lost to Chambliss 46 per cent to 53, a last-minute swing of 9 to 12
points.

Red-faced opinion pollsters suddenly had a lot of explaining to do and
launched internal investigations. Political analysts credited the upset
- part of a pattern of Republican successes around the country - to a
huge campaigning push by President Bush in the final days of the race.
They also said that Roy Barnes had lost because of a surge of "angry
white men" punishing him for eradicating all but a vestige of the old
confederate symbol from the state flag.

But something about these explanations did not make sense, and they
have made even less sense over time. When the Georgia secretary of
state's office published its demographic breakdown of the election
earlier this year, it turned out there was no surge of angry white men;
in fact, the only subgroup showing even a modest increase in turnout
was black women.

There were also big, puzzling swings in partisan loyalties in different
parts of the state. In 58 counties, the vote was broadly in line with
the primary election. In 27 counties in Republican-dominated north
Georgia, however, Max Cleland unaccountably scored 14 percentage points
higher than he had in the primaries. And in 74 counties in the Democrat
south, Saxby Chambliss garnered a whopping 22 points more for the
Republicans than the party as a whole had won less than three months
earlier.

Now, weird things like this do occasionally occur in elections, and the
figures, on their own, are not proof of anything except statistical
anomalies worthy of further study. But in Georgia there was an extra
reason to be suspicious. Last November, the state became the first in
the country to conduct an election entirely with touchscreen voting
machines, after lavishing $54m (£33m) on a new system that promised to
deliver the securest, most up-to-date, most voter-friendly election in
the history of the republic. The machines, however, turned out to be
anything but reliable. With academic studies showing the Georgia
touchscreens to be poorly programmed, full of security holes and prone
to tampering, and with thousands of similar machines from different
companies being introduced at high speed across the country, computer
voting may, in fact, be US democracy's own 21st-century nightmare.

In many Georgia counties last November, the machines froze up, causing
long delays as technicians tried to reboot them. In heavily Democratic
Fulton County, in downtown Atlanta, 67 memory cards from the voting
machines went missing, delaying certification of the results there for
10 days. In neighboring DeKalb County, 10 memory cards were unaccounted
for; they were later recovered from terminals that had supposedly
broken down and been taken out of service.

It is still unclear exactly how results from these missing cards were
tabulated, or if they were counted at all. And we will probably never
know, for a highly disturbing reason. The vote count was not conducted
by state elections officials, but by the private company that sold
Georgia the voting machines in the first place, under a strict
trade-secrecy contract that made it not only difficult but actually
illegal - on pain of stiff criminal penalties - for the state to touch
the equipment or examine the proprietary software to ensure the
machines worked properly. There was not even a paper trail to follow
up. The machines were fitted with thermal printing devices that could
theoretically provide a written record of voters' choices, but these
were not activated. Consequently, recounts were impossible. Had Diebold
Inc, the manufacturer, been asked to review the votes, all it could
have done was program the computers to spit out the same data as
before, flawed or not.

Astonishingly, these are the terms under which America's top three
computer voting machine manufacturers - Diebold, Sequoia and Election
Systems and Software (ES&S) - have sold their products to election
officials around the country. Far from questioning the need for rigid
trade secrecy and the absence of a paper record, secretaries of state
and their technical advisers - anxious to banish memories of the
hanging chad fiasco and other associated disasters in the 2000
presidential recount in Florida - have, for the most part, welcomed the
touchscreen voting machines as a technological miracle solution.

Georgia was not the only state last November to see big last-minute
swings in voting patterns. There were others in Colorado, Minnesota,
Illinois and New Hampshire - all in races that had been flagged as key
partisan battlegrounds, and all won by the Republican Party. Again,
this was widely attributed to the campaigning efforts of President Bush
and the demoralization of a Democratic Party too timid to speak out
against the looming war in Iraq.

Strangely, however, the pollsters made no comparable howlers in
lower-key races whose outcome was not seriously contested. Another
anomaly, perhaps. What, then, is one to make of the fact that the
owners of the three major computer voting machines are all prominent
Republican Party donors? Or of a recent political fund-raising letter
written to Ohio Republicans by Walden O'Dell, Diebold's chief
executive, in which he said he was "committed to helping Ohio to
deliver its electoral votes to the president next year" - even as his
company was bidding for the contract on the state's new voting
machinery?

Alarmed and suspicious, a group of Georgia citizens began to look into
last November's election to see whether there was any chance the
results might have been deliberately or accidentally manipulated. Their
research proved unexpectedly, and disturbingly, fruitful.

First, they wanted to know if the software had undergone adequate
checking. Under state and federal law, all voting machinery and
component parts must be certified before use in an election. So an
Atlanta graphic designer called Denis Wright wrote to the secretary of
state's office for a copy of the certification letter. Clifford Tatum,
assistant director of legal affairs for the election division, wrote
back: "We have determined that no records exist in the Secretary of
State's office regarding a certification letter from the lab certifying
the version of software used on Election Day." Mr Tatum said it was
possible the relevant documents were with Gary Powell, an official at
the Georgia Technology Authority, so campaigners wrote to him as well.
Mr Powell responded he was "not sure what you mean by the words 'please
provide written certification documents' ".

"If the machines were not certified, then right there the election was
illegal," Mr Wright says. The secretary of state's office has yet to
demonstrate anything to the contrary. The investigating citizens then
considered the nature of the software itself. Shortly after the
election, a Diebold technician called Rob Behler came forward and
reported that, when the machines were about to be shipped to Georgia
polling stations in the summer of 2002, they performed so erratically
that their software had to be amended with a last-minute "patch".
Instead of being transmitted via disk - a potentially time-consuming
process, especially since its author was in Canada, not Georgia - the
patch was posted, along with the entire election software package, on
an open-access FTP, or file transfer protocol site, on the internet.

That, according to computer experts, was a violation of the most basic
of security precautions, opening all sorts of possibilities for the
introduction of rogue or malicious code. At the same time, however, it
gave campaigners a golden opportunity to circumvent Diebold's own
secrecy demands and see exactly how the system worked. Roxanne Jekot, a
computer programmer with 20 years' experience, and an occasional
teacher at Lanier Technical College northeast of Atlanta, did a
line-by-line review and found "enough to stand your hair on end".

"There were security holes all over it," she says, "from the most basic
display of the ballot on the screen all the way through the operating
system." Although the program was designed to be run on the Windows
2000 NT operating system, which has numerous safeguards to keep out
intruders, Ms Jekot found it worked just fine on the much less secure
Windows 98; the 2000 NT security features were, as she put it,
"nullified".

Also embedded in the software were the comments of the programmers
working on it. One described what he and his colleagues had just done
as "a gross hack". Elsewhere was the remark: "This doesn't really
work." "Not a confidence builder, would you say?" Ms Jekot says. "They
were operating in panic mode, cobbling together something that would
work for the moment, knowing that at some point they would have to go
back to figure out how to make it work more permanently." She found
some of the code downright suspect - for example, an overtly
meaningless instruction to divide the number of write-in votes by 1.
"From a logical standpoint there is absolutely no reason to do that,"
she says. "It raises an immediate red flag."

Mostly, though, she was struck by the shoddiness of much of the
programming. "I really expected to have some difficulty reviewing the
source code because it would be at a higher level than I am accustomed
to," she says. "In fact, a lot of this stuff looked like the homework
my first-year students might have turned in." Diebold had no specific
comment on Ms Jekot's interpretations, offering only a blanket caution
about the complexity of election systems "often not well understood by
individuals with little real-world experience".

But Ms Jekot was not the only one to examine the Diebold software and
find it lacking. In July, a group of researchers from the Information
Security Institute at Johns Hopkins University in Baltimore discovered
what they called "stunning flaws". These included putting the password
in the source code, a basic security no-no; manipulating the voter
smart-card function so one person could cast more than one vote; and
other loopholes that could theoretically allow voters' ballot choices
to be altered without their knowledge, either on the spot or by remote
access.

Diebold issued a detailed response, saying that the Johns Hopkins
report was riddled with false assumptions, inadequate information and
"a multitude of false conclusions". Substantially similar findings,
however, were made in a follow-up study on behalf of the state of
Maryland, in which a group of computer security experts catalogued 328
software flaws, 26 of them critical, putting the whole system "at high
risk of compromise". "If these vulnerabilities are exploited,
significant impact could occur on the accuracy, integrity, and
availability of election results," their report says.

Ever since the Johns Hopkins study, Diebold has sought to explain away
the open FTP file as an old, incomplete version of its election
package. The claim cannot be independently verified, because of the
trade-secrecy agreement, and not everyone is buying it. "It is
documented throughout the code who changed what and when. We have the
history of this program from 1996 to 2002," Ms Jekot says. "I have no
doubt this is the software used in the elections." Diebold now says it
has upgraded its encryption and password features - but only on its
Maryland machines.

A key security question concerned compatibility with Microsoft Windows,
and Ms Jekot says just three programmers, all of them senior Diebold
executives, were involved in this aspect of the system. One of these,
Diebold's vice-president of research and development, Talbot Iredale,
wrote an e-mail in April 2002 - later obtained by the campaigners -
making it clear that he wanted to shield the operating system from
Wylie Labs, an independent testing agency involved in the early
certification process.

The reason that emerges from the e-mail is that he wanted to make the
software compatible with WinCE 3.0, an operating system used for
handhelds and PDAs; in other words, a system that could be manipulated
from a remote location. "We do not want Wyle [sic] reviewing and
certifying the operating systems," the e-mail reads. "Therefore can we
keep to a minimum the references to the WinCE 3.0 operating system."

In an earlier intercepted e-mail, this one from Ken Clark in Diebold's
research and development department, the company explained upfront to
another independent testing lab that the supposedly secure software
system could be accessed without a password, and its contents easily
changed using the Microsoft Access program Mr Clark says he had
considered putting in a password requirement to stop dealers and
customers doing "stupid things", but that the easy access had often
"got people out of a bind". Astonishingly, the representative from the
independent testing lab did not see anything wrong with this and
granted certification to the part of the software program she was
inspecting - a pattern of lackadaisical oversight that was replicated
all the way to the top of the political chain of command in Georgia,
and in many other parts of the country.

Diebold has not contested the authenticity of the e-mails, now openly
accessible on the internet. However, Diebold did caution that, as the
e-mails were taken from a Diebold Election systems website in March
2003 by an illegal hack, the nature of the information stolen could
have been revised or manipulated.

There are two reasons why the United States is rushing to overhaul its
voting systems. The first is the Florida dÈb‚cle in the Bush-Gore
election; no state wants to be the center of that kind of attention
again. And the second is the Help America Vote Act (HAVA), signed by
President Bush last October, which promises an unprecedented $3.9bn
(£2.3bn) to the states to replace their old punchcard-and-lever
machines. However, enthusiasm for the new technology seems to be
motivated as much by a bureaucratic love of spending as by a love of
democratic accountability. According to Rebecca Mercuri, a research
fellow at Harvard's John F Kennedy School of Government and a
specialist in voting systems, the shockingly high error rate of
punchcard machines (3-5 per cent in Florida in 2000) has been known to
people in the elections business for years. It was only after it became
public knowledge in the last presidential election that anybody felt
moved to do anything about it.

The problem is, computer touchscreen machines and other so-called DRE
(direct recording electronic) systems are significantly less reliable
than punchcards, irrespective of their vulnerability to interference.
In a series of research papers for the Voting Technology Project, a
joint venture of the prestigious Massachusetts and California
Institutes of Technology, DREs were found to be among the worst
performing systems. No method, the MIT/CalTech study conceded, worked
more reliably than hand-counting paper ballots - an option that US
electoral officials seem to consider hopelessly antiquated, or at least
impractical in elections combining multiple local, state and national
races for offices from President down to dogcatcher.

The clear disadvantages and dangers associated with DREs have not
deterred state and county authorities from throwing themselves headlong
into touchscreen technology. More than 40,000 machines made by Diebold
alone are already in use in 37 states, and most are touchscreens.
County after county is poised to spend hundreds of millions of dollars
more on computer voting before next spring's presidential primaries.
"They say this is the direction they have to go in to have fair
elections, but the rush to go towards computerization is very dubious,"
Dr Mercuri says. "One has to wonder why this is going on, because the
way it is set up it takes away the checks and balances we have in a
democratic society. That's the whole point of paper trails and
recounts."

Anyone who has struggled with an interactive display in a museum knows
how dodgy touchscreens can be. If they don't freeze, they easily become
misaligned, which means they can record the wrong data. In Dallas,
during early voting before last November's election, people found that
no matter how often they tried to press a Democrat button, the
Republican candidate's name would light up. After a court hearing,
Diebold agreed to take down 18 machines with apparent misalignment
problems. "And those were the ones where you could visually spot a
problem," Dr Mercuri says. "What about what you don't see? Just because
your vote shows up on the screen for the Democrats, how do you know it
is registering inside the machine for the Democrats?"

Other problems have shown up periodically: machines that register zero
votes, or machines that indicate voters coming to the polling station
but not voting, even when a single race with just two candidates was on
the ballot. Dr Mercuri was part of a lawsuit in Palm Beach County in
which she and other plaintiffs tried to have a suspect Sequoia machine
examined, only to run up against the brick wall of the trade-secret
agreement. "It makes it really hard to show their product has been
tampered with," she says, "if it's a felony to inspect it."

As for the possibilities of foul play, Dr Mercuri says they are
virtually limitless. "There are literally hundreds of ways to do this,"
she says. "There are hundreds of ways to embed a rogue series of
commands into the code and nobody would ever know because the nature of
programming is so complex. The numbers would all tally perfectly."
Tampering with an election could be something as simple as a
"denial-of-service" attack, in which the machines simply stop working
for an extended period, deterring voters faced with the prospect of
long lines. Or it could be done with invasive computer codes known in
the trade by such nicknames as "Trojan horses" or "Easter eggs".
Detecting one of these, Dr Mercuri says, would be almost impossible
unless the investigator knew in advance it was there and how to trigger
it. Computer researcher Theresa Hommel, who is alarmed by touchscreen
systems, has constructed a simulated voting machine in which the same
candidate always wins, no matter what data you put in. She calls her
model the Fraud-o-matic, and it is available online at
www.wheresthepaper.org.

It is not just touchscreens which are at risk from error or malicious
intrusion. Any computer system used to tabulate votes is vulnerable. An
optical scan of ballots in Scurry County, Texas, last November
erroneously declared a landslide victory for the Republican candidate
for county commissioner; a subsequent hand recount showed that the
Democrat had in fact won. In Comal County, Texas, a computerized
optical scan found that three different candidates had won their races
with exactly 18,181 votes. There was no recount or investigation, even
though the coincidence, with those recurring 1s and 8s, looked highly
suspicious. In heavily Democrat Broward County, Florida - which had
switched to touchscreens in the wake of the hanging chad furore - more
than 100,000 votes were found to have gone "missing" on election day.
The votes were reinstated, but the glitch was not adequately explained.
One local official blamed it on a "minor software thing".

Most suspect of all was the governor's race in Alabama, where the
incumbent Democrat, Don Siegelman, was initially declared the winner.
Sometime after midnight, when polling station observers and most staff
had gone home, the probate judge responsible for elections in rural
Baldwin County suddenly "discovered" that Mr Siegelman had been awarded
7,000 votes too many. In a tight election, the change was enough to
hand victory to his Republican challenger, Bob Riley. County officials
talked vaguely of a computer tabulation error, or a lightning strike
messing up the machines, but the real reason was never ascertained
because the state's Republican attorney general refused to authorize a
recount or any independent ballot inspection.

According to an analysis by James Gundlach, a sociology professor at
Auburn University in Alabama, the result in Baldwin County was full of
wild deviations from the statistical norms established both by this and
preceding elections. And he adds: "There is simply no way that
electronic vote counting can produce two sets of results without
someone using computer programs in ways that were not intended. In
other words, the fact that two sets of results were reported is
sufficient evidence in and of itself that the vote tabulation process
was compromised." Although talk of voting fraud quickly subsided,
Alabama has now amended its election laws to make recounts mandatory in
close races.

The possibility of flaws in the electoral process is not something that
gets discussed much in the United States. The attitude seems to be: we
are the greatest democracy in the world, so the system must be fair.
That has certainly been the prevailing view in Georgia, where even
leading Democrats - their prestige on the line for introducing
touchscreen voting in the first place - have fought tooth-and-nail to
defend the integrity of the system. In a phone interview, the head of
the Georgia Technology Authority who brought Diebold machines to the
state, Larry Singer, blamed the growing chorus of criticism on "fear of
technology", despite the fact that many prominent critics are
themselves computer scientists. He says: "Are these machines flawless?
No. Would you have more confidence if they were completely flawless?
Yes. Is there such a thing as a flawless system? No." Mr Singer, who
left the GTA straight after the election and took a 50 per cent pay cut
to work for Sun Microsystems, insists that voters are more likely to
have their credit card information stolen by a busboy in a restaurant
than to have their vote compromised by touchscreen technology.

Voting machines are sold in the United States in much the same way as
other government contracts: through intensive lobbying, wining and
dining. At a recent national conference of clerks, election officials
and treasurers in Denver, attendees were treated to black-tie dinners
and other perks, including free expensive briefcases stamped with
Sequoia's company logo alongside the association's own symbol. Nobody
in power seems to find this worrying, any more than they worried when
Sequoia's southern regional sales manager, Phil Foster, was indicted in
Louisiana a couple of years ago for "conspiracy to commit money
laundering and malfeasance". The charges were dropped in exchange for
his testimony against Louisiana's state commissioner of elections.
Similarly, last year, the Arkansas secretary of state, Bill McCuen,
pleaded guilty to taking bribes and kickbacks involving a precursor
company to ES&S; the voting machine company executive who testified
against him in exchange for immunity is now an ES&S vice-president.

If much of the worry about vote-tampering is directed at the
Republicans, it is largely because the big three touchscreen companies
are all big Republican donors, pouring hundreds of thousands of dollars
into party coffers in the past few years. The ownership issue is, of
course, compounded by the lack of transparency. Or, as Dr Mercuri puts
it: "If the machines were independently verifiable, who would give a
crap who owns them?" As it is, fears that US democracy is being
hijacked by corporate interests are being fueled by links between the
big three and broader business interests, as well as extremist
organizations. Two of the early backers of American Information
Systems, a company later merged into ES&S, are also prominent
supporters of the Chalcedon Foundation, an organization that espouses
theocratic governance according to a literal reading of the Bible and
advocates capital punishment for blasphemy and homosexuality.

The chief executive of American Information Systems in the early
Nineties was Chuck Hagel, who went on to run for elective office and
became the first Republican in 24 years to be elected to the Senate
from Nebraska, cheered on by the Omaha World-Herald newspaper which
also happens to be a big investor in ES&S. In yet another clamorous
conflict of interest, 80 per cent of Mr Hagel's winning votes - both in
1996 and again in 2002 - were counted, under the usual terms of
confidentiality, by his own company.

In theory, the federal government should be monitoring the transition
to computer technology and rooting out abuses. Under the Help America
Vote Act, the Bush administration is supposed to establish a sizeable
oversight committee, headed by two Democrats and two Republicans, as
well as a technical panel to determine standards for new voting
machinery. The four commission heads were supposed to have been in
place by last February, but so far just one has been appointed. The
technical panel also remains unconstituted, even though the new
machines it is supposed to vet are already being sold in large
quantities - a state of affairs Dr Mercuri denounces as "an
abomination".

One of the conditions states have to fulfil to receive federal funding
for the new voting machines, meanwhile, is a consolidation of voter
rolls at state rather than county level. This provision sends a chill
down the spine of anyone who has studied how Florida consolidated its
own voter rolls just before the 2000 election, purging the names of
tens of thousands of eligible voters, most of them African Americans
and most of them Democrats, through misuse of an erroneous list of
convicted felons commissioned by Katherine Harris, the secretary of
state doubling as George Bush's Florida campaign manager. Despite a
volley of lawsuits, the incorrect list was still in operation in last
November's mid-terms, raising all sorts of questions about what other
states might now do with their own voter rolls. It is not that the
Act's consolidation provision is in itself evidence of a conspiracy to
throw elections, but it does leave open that possibility.

Meanwhile, the administration has been pushing new voting technology of
its own to help overseas citizens and military personnel, both natural
Republican Party constituencies, to vote more easily over the internet.
Internet voting is notoriously insecure and open to abuse by just about
anyone with rudimentary hacking skills; just last January, an
experiment in internet voting in Toronto was scuppered by a Slammer
worm attack. Undeterred, the administration has gone ahead with its
so-called SERVE project for overseas voting, via a private consortium
made up of major defense contractors and a Saudi investment group. The
contract for overseeing internet voting in the 2004 presidential
election was recently awarded to Accenture, formerly part of the Arthur
Andersen group (whose accountancy branch, a major campaign contributor
to President Bush, imploded as a result of the Enron bankruptcy
scandal).

Not everyone in the United States has fallen under the spell of the big
computer voting companies, and there are signs of growing wariness.
Oregon decided even before HAVA to conduct all its voting by mail.
Wisconsin has decided it wants nothing to do with touchscreen machines
without a verifiable paper trail, and New York is considering a similar
injunction, at least for its state assembly races. In California, a
Stanford computer science professor called David Dill is screaming from
the rooftops on the need for a paper trail in his state, so far without
result. And a New Jersey Congressman called Rush Holt has introduced a
bill in the House of Representatives, the Voter Confidence and
Increased Accessibility Act, asking for much the same thing. Not
everyone is heeding the warnings, though. In Ohio, publication of the
letter from Diebold's chief executive promising to deliver the state to
President Bush in 2004 has not deterred the secretary of state - a
Republican - from putting Diebold on a list of preferred voting-machine
vendors. Similarly, in Maryland, officials have not taken the recent
state-sponsored study identifying hundreds of flaws in the Diebold
software as any reason to change their plans to use Diebold machines in
March's presidential primary.

The question is whether the country will come to its senses before
elections start getting distorted or tampered with on such a scale that
the system becomes unmanageable. The sheer volume of money offered
under HAVA is unlikely to be forthcoming again in a hurry, so if things
aren't done right now it is doubtful the system can be fixed again for
a long time. "This is frightening, really frightening," says Dr
Mercuri, and a growing number of reasonable people are starting to
agree with her. One such is John Zogby, arguably the most reliable
pollster in the United States, who has freely admitted he "blew" last
November's elections and does not exclude the possibility that foul
play was one of the factors knocking his calculations off course.
"We're plowing into a brave new world here," he says, "where there are
so many variables aside from out-and-out corruption that can change
elections, especially in situations where the races are close. We have
machines that break down, or are tampered with, or are simply
misunderstood. It's a cause for great concern."

Roxanne Jekot, who has put much of her professional and personal life
on hold to work on the issue full time, puts it even more strongly.
"Corporate America is very close to running this country. The only
thing that is stopping them from taking total control are the pesky
voters. That's why there's such a drive to control the vote. What we're
seeing is the corporatization of the last shred of democracy.

"I feel that unless we stop it here and stop it now," she says, "my
kids won't grow up to have a right to vote at all."

© 2003 Independent Digital (UK) Ltd

No comments: