Security measures urged for voting machines; Many forms of tampering possible, consultant says

By Stephanie Desmon, Baltimore Sun
January 30, 2004

Results tallied by Maryland's 16,000 new electronic voting machines can be trusted in their first statewide test during the March 2 presidential primary, but only with some added security measures, a state official and a consultant told legislators yesterday.

Even more extensive upgrades - including the creation of a paper trail to allow voters to feel sure their ballots are counted just as they cast them - need also to be added to ensure the new ATM-like machines can be relied on in future elections, said Michael A. Wertheimer, a Columbia-based consultant hired by the state.

"I hope that is on your mind," he told members of the Senate's Education, Health and Environmental Affairs Committee.

While paper ballots will bring a new set of worries to the system, Wertheimer said having them available, at least on a limited basis, will restore voter confidence in a technology that has attracted a growing chorus of skeptics in recent months.

Maryland is spending $55 million on the Diebold AccuVote-TS touch screen machines, which were tested in four counties in 2002 and will debut in every other jurisdiction except Baltimore on March 2. The city has a different electronic voting system and is scheduled to switch to Diebold's in 2006.

After the new system was criticized by computer scientists in recent months, Karl S. Aro, executive director of the state's Department of Legislative Services, was asked by Sen. Paula C. Hollinger, chairwoman of the Education, Health and Environmental Affairs Committee, and Del. Sheila E. Hixson, chairwoman of the House Ways and Means Committee, to conduct an independent review. Aro hired Wertheimer's firm, RABA Technologies, to assist.

"We know this much: The system counts correctly. ... If you cast a vote, it's counted. That is really good news," Aro said.

Yet the review found that it is possible to vote multiple times, break into machines and disrupt results or get voters to select the wrong candidates. It's also possible to dial in to election headquarters and alter results or wipe out all of them.

Some of the attacks would mess up the official results while others would impact unofficial results, which could be remedied but would bring the machines into greater question in the court of public opinion.

"You're more secure buying a book from Amazon.com than you are uploading your results to the Diebold server," Wertheimer told the House panel.

Diebold representatives were not asked to speak at yesterday's briefings, but a spokesman for the company said later that several elections have been conducted using their machines in four counties in Maryland and they have all been run successfully. Diebold's David K. Bear said the system is a big improvement over past ones since it enables the blind to vote without assistance, allows ballots to appear in many languages and prevents over-voting, under-voting and hanging chads.

For each problem Wertheimer's team found, Bear had a suggested fix. He also urged changing passwords meant to protect "smart cards," the credit card-like devices that each voter receives when signing in at the polls that allows casting a single vote. Those passwords were included in Diebold code that was left unsecured on the Internet, code that was the subject of a critical study done by computer scientist Avi Rubin of the Johns Hopkins University last summer.

Another change needed by March, Wertheimer told legislators, is to not turn on the modem at both local boards of elections or the state until vote totals are expected. Otherwise, a hacker could dial in and do damage. He also said patches should be installed to protect the Microsoft software that is used on the servers - the state is currently 15 software upgrades behind, exposing many vulnerabilities.

The biggest fix will be the use of tamper-resistant tape, which will be placed over various parts of the voting machines that are vulnerable to physical attacks, like the compartments where the memory cards are kept. The tape says "Secure" when it is attached and then glows "Tamper" if the seal is broken.

Linda H. Lamone, the state's election administrator, said she is planning to use the tamper-proof tape, but told legislators she is concerned about the ramifications of some of the other suggested fixes.

"We're going to put tamper tape all around these things," she said. "They're going to look like someone who's had duct tape put around them."

But she said the security patches cannot be installed over the next 33 days. Other preparation work is being done on the machines and changing the software could interfere with that.

"We are risking a catastrophic failure," she said. "It doesn't seem to be worth it at this step of the game."

The issue of the paper ballots has received a great deal of attention in recent months. California's secretary of state recently decreed that its electronic voting machines would have a voter-verified paper trail - meaning the voter can at least see a piece of paper as it records how he or she voted. Diebold will reportedly be providing printers at no cost.

Wertheimer is pushing a limited use of paper ballots, perhaps on one or two machines in a precinct to provide for an audit and a comfort level for voters. He cautioned, however, that adding paper into the process would likely prevent the state from reaching the federal goal of having one problem ballot out of every 2 million. Paper, he said, has an error rate of about 10 percent.

Western Maryland Republican Del. LeRoy E. Myers Jr. said he thinks many of the threats Wertheimer outlined are too complicated to carry out.

"If this were Halloween, you'd be scaring us all to death," Myers said. "I think we're kind of overreacting. Isn't this a much more sophisticated ... system? The answer is yes."

Copyright © 2004, The Baltimore Sun