Will the election be hacked?

By Farhad Manjoo, salon.com
February 9, 2004

A few weeks after Election Night 2002, Roxanne Jekot, a computer programmer who lives in Cumming, Ga., began fearing demons lingering in the state's voting machines. The midterm election had been a historic one: Georgia became the first state to use electronic touch-screen voting machines in every one of its precincts. The 51-year-old Jekot, who has a grandmotherly bearing but describes herself as a "typical computer geek," was initially excited about the new system.

"I thought it was the coolest thing we could have done," she says.

But the election also brought sweeping victories for Republicans, including, most stunningly, one for Sonny Perdue, who defeated Roy Barnes, the incumbent Democrat, to become Georgia's first Republican governor in 135 years, while Rep. Saxby Chambliss upset Vietnam veteran Sen. Max Cleland. The convergence of these two developments -- the introduction of new voting machines and the surprising GOP wins -- began to eat away at Roxanne Jekot. Like many of her fellow angry Democrats on the Internet discussion forums she frequented, she had a hard time believing the Republicans won legitimately. Instead, Jekot began searching for her explanation in the source code used in the new voting machines.

What she found alarmed her. The machines were state-of-the-art products from an Ohio company called Diebold. But the code -- which a friend of Jekot's had found on the Internet -- was anything but flawless, Jekot says. It was amateurish and pocked with security problems. "I expected sophistication and some fairly difficult to understand advanced coding," Jekot said one evening this fall at a restaurant near her home. But she saw "a hodgepodge of commands thrown all over the source code," an indication, she said, that the programmers were careless. Along with technical commands, Diebold's engineers had written English comments documenting the various functions their software performed -- and these comments "made my hair stand on end," Jekot said. The programmers would say things like "this doesn't work because that doesn't work and neither one of them work together." They seemed to know that their software was flawed.

To Jekot, there appeared to be method in the incompetence. Professional programmers could not be so sloppy; it had to be deliberate. "They specifically opened doors that need not be opened," Jekot said, suggesting the possibility that Diebold wanted to leave its voting machines open to fraud. And, ominously, the electronic voting systems used in Georgia, like most of the new machines installed in the United States since the 2000 election, do not produce a "paper trail" -- every vote cast in the state's midterm election was recorded, tabulated, checked and stored by computers whose internal workings are owned by Diebold, a private corporation.

Jekot was particularly alarmed -- and outraged -- to learn that company CEO Walden O'Dell is one of the GOP's biggest fundraisers in his home state of Ohio and nationally. Right after the Georgia elections, an O'Dell e-mail began making the rounds of Web logs and other Internet sites that were tracking the Diebold security flaws, in which the CEO bragged that he's "committed to helping Ohio deliver its electoral votes to the president next year." What better way to deliver electoral votes for President Bush, some reasoned, than to control the equipment Americans use to cast their ballots?

"I believe that the 2002 election in Georgia was rigged," Jekot insists today. "I don't believe that Saxby Chambliss or Sonny Perdue won their races legally."

Despite Jekot's technical expertise, officials in Georgia consider her theories baseless. Roy Barnes, the defeated Democratic governor, says that blaming his loss on voting machines is "ridiculous." And, to be sure, there is no evidence proving malfeasance, and there probably never will be. The only trouble is, the state cannot furnish any definitive evidence to show that the 2002 election was not fraudulent. Proving that the machines didn't malfunction, or that they weren't hacked, is impossible. And since scores of computer scientists say that voting systems are vulnerable to attack, and because activists have raised legitimate concerns about election equipment vendors' politics and processes, Jekot's fears have come to seem, to many, entirely reasonable.

Even a self-described Christian arch-conservative, former Diebold systems manager Rob Behler, says the company failed to adequately test its troubled equipment -- and balked when he warned them of widespread problems with the machines. Last summer, computer scientists at Johns Hopkins University and Rice University found major security flaws in the Diebold machines, concluding that the Georgia system falls "far below even the most minimal security standards." And in January, experts at RABA Technologies, a consulting firm in Maryland, discovered additional failures in that state's Diebold systems. Internal Diebold e-mail shows that company engineers knew about the problems and in some instances chose to ignore them.

Some elections officials are beginning to see the profound dangers inherent in this process; California Secretary of State Kevin Shelley has ordered that all systems in his state implement a paper record by 2006. Activists hailed Shelley's decision as evidence that he understands the fundamental principle at stake: Elections should be sacrosanct.

But on Election Day this November, more than 20 percent of American voters will cast their ballots on paperless electronic machines; voters across the nation will encounter them during the primaries. Critics of touch-screen systems point to the controversy surrounding the vote in Georgia as a sign of things to come nationally. If there's an upset in a close presidential race, will we be able to trust it? Ironically, the paperless systems were supposed to restore trust in a democracy that saw the presidency hang by a few thousand chads in Florida three years ago. In Georgia, and increasingly across the nation, they're in danger of doing quite the opposite.

Many in Georgia dismiss Jekot and her Web-based acolytes as blinded partisans, conspiracy nuts, or even "wack-jobs."

But if you dismiss Roxanne Jekot as a wack-job, you still have to deal with her friends. Jekot represents only the most strident quarter of an emerging national movement aimed at slowing the spread of the kind of touch-screen systems that were first used in Georgia. While the movement counts as members some of the most shrill partisans on the Web, it also includes some of the most well-regarded computer scientists in the world -- and together, these groups have been unexpectedly successful in changing the national perceptions of touch-screen machines.

Until just about a year ago, these systems were considered the natural replacement to the punch-card machines that so roiled the last presidential election. The new machines are easy to maintain, they can accommodate multiple languages, they can be used by people with disabilities, and they have the backing of influential groups like the League of Women Voters and the ACLU. The Help America Vote Act of 2002, which doles out a total of $650 million in federal money to state and local officials who upgrade their aging voting systems, has already prompted dozens of counties and a handful of states to deploy the touch-screen systems.

The activists have upended the process. Fear of the voting machines is now a red-meat issue not just for online lefties but also for libertarians, for many on the right, and, increasingly, for the establishment. National newspapers run Op-Eds on the issue, network news shows feature the movement's proponents, and officials like Shelley, in California, have been pressed to change their positions on the systems.

If you spend much time in the world of the activists, you'll understand why. In the fall, I sat with Jim March, an anti-Diebold tech expert in Sacramento, Calif., while he showed me on his home PC how to steal an election. March, an ardent libertarian whose apartment is decorated with political posters -- "Politicians Prefer an Unarmed Populace," one announces -- spent months investigating security flaws in touch-screen systems. Thanks to his network of fellow geek-activists, he'd found flaws in the system Diebold used to tally election results, a program called GEMS. The GEMS software runs on a standard PC that's usually housed in a county election office. The system stores its votes in a format recognizable by Microsoft Access, a common office database program. If you've got a copy of Access and can get physical access to the county machine -- or, some activists say, if you discover the county's number and call into the machine over a phone line -- the vote is yours to steal.

While I sat at his computer, March helped me open a file containing actual results from a March 2002 primary election held in San Luis Obispo County, Calif. -- a file that March says would be accessible to anyone who worked in the county elections office on Election Day. Following March's direction, I changed the vote count with a few clicks. Then, he explained how to alter the "audit log," erasing all evidence that we'd tampered with the results. I saved the file. If it had been a real election, I would have been carrying out an electronic coup. It was a chilling realization.

The person who discovered the problems with the GEMS program -- she's singularly responsible for almost every bit of attention recently paid to electronic voting machines, and for almost every juicy detail uncovered about the vote in Georgia -- is a middle-aged publicist-turned-investigative-journalist in Seattle named Bev Harris. Harris began thinking about voting machines in late 2002, when, after reading some claims on the Web that the election equipment firms were being infiltrated by foreign nationals, she decided, almost on a lark, to investigate the matter.

Harris had no journalistic experience, but she'd always harbored fantasies of uncovering something big. She turned out to be exceptionally talented at reporting. Within a few weeks of her investigation, she'd dug up many compelling nuggets. She found, for instance, that in the early 1990s, before he was elected to office, Sen. Chuck Hagel, the Nebraska Republican, served as the president of American Information Systems, the company that built most of the voting machines used in his state. Harris also discovered that Diebold, the firm that produced the machines used in Georgia, had left the software used to run its systems on a public server online. Harris downloaded these files and looked through them. She saw that she had the company's source code as well as several other curiously named files -- one, for example, was called "rob-georgia.zip."

Before Bev Harris found the files used in Georgia, the software in the machines had essentially been secret. Although the code had been reviewed by government testing authorities, nobody outside those labs had been allowed to see the programs, which is a standard provision in most electronic voting systems. When the computing public got a peek at the files Harris found, experts were not kind.

In July, a team of four computer scientists at Johns Hopkins University and Rice University announced that they'd uncovered major security flaws in the machines used in Georgia's elections. "Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts," the team wrote. Diebold has long boasted that votes in its system are stored in an encrypted manner, hidden to anyone who didn't have a valid password; the computer scientists found that Diebold's programmers left the "key" to decrypt the votes written into the code, which is a bit like locking your door and placing the key on the welcome mat. The Hopkins/Rice scientists also said that they saw no adequate mechanism to prevent voters from casting multiple ballots, viewing partial election results, or terminating an election early.

On Jan. 19, a team of computer scientists working with RABA Technologies set up a red-team exercise -- a one-day attempt to hack into Diebold machines configured as they would be on Election Day. They were successful. In a short time, the hackers managed to guess the passwords securing the voting system, allowing them to cast multiple ballots. They found that with a standard lock-pick set, they could inconspicuously open up each machine -- sometimes in less than 10 seconds -- and remove or attach various pieces of hardware, letting them erase or change electronic ballots. They concluded that Diebold's touch-screen machines contain "considerable security risks," and they suggested that Maryland put in place stringent safeguards before its March 2 primary, and that the state overhaul the system before the presidential election.

Diebold fiercely disputes that its technology is vulnerable to attacks. Mark Radke, a spokesman for Diebold, says that the RABA study pointed out some areas in which Maryland could improve its voting procedures, and he's pleased that Maryland is instituting those changes. As for the Hopkins study, Radke says the scientists who looked at the system erred in their assessment by examining only a small bit of the code and by neglecting the "checks and balances" that occur in an actual election. He pointed to a study of the company's system that was performed by Science Applications International Corp., a consulting firm, at the behest of the state of Maryland. The SAIC report gives Diebold a clean bill of health, and Georgia officials say it proves their system is safe. (The study is available here in PDF format.)

There is no evidence that someone tampered with the votes in Georgia. But certainly it is not beyond the bounds of possibility that someone could do so in the future. The history of American democracy is replete with allegations of vote fixing and stolen elections -- from Rutherford Hayes' disputed victory over Samuel Tilden in 1876 to Illinois in 1960 (there were vote fraud allegations against both Richard Nixon and John F. Kennedy) to the Florida debacle in 2000. Leaving the security of such a crucial government function in the hands of private companies motivated primarily by a desire to make a quick buck seems like a loopy idea to many people. And the more one listens to the activists' complaints about how Diebold does business, the more one comes to understand their worries about election security.

Bev Harris says that in August, a former employee at Diebold handed her a trove of documents from the company, representing years of discussions on an internal company Web site. In the memos, Diebold programmers seem to acknowledge security holes in their system, and they appear to discuss methods of evading testing authorities. In one e-mail, Ken Clark, a programmer at the company, acknowledges that vote data can be viewed with Microsoft Access, but he says that fixing the problem will be difficult, and it would be easier to feel out the testing labs and "find out what it is going to take to make them happy." In another e-mail, Clark recommends to his co-workers that if the state of Maryland -- which has also purchased the company's touch-screen machines -- decides to require a paper trail in its voting systems, the company should exact a high price for the required upgrades. Diebold should charge Maryland "out the yin," Clark wrote. In yet another e-mail, Clark does an impression of how voters in Georgia might react to touch-screen machines: "Yer votin thingamajig sure looks purdy," he writes. (Calls to Clark were routed to Diebold's P.R. office. While the company concedes that the memos are authentic, it disputes Harris' claim that the files came from a Diebold employee. Instead, says Mark Radke, Diebold's computers were hacked. The firm initially threatened to sue people who posted the files on the Web, but it has backed off that threat.)

In the spring of 2003, Harris received an e-mail that read, "I think I may be the Rob in rob-georgia." The message was from Rob Behler, a laid-off telecom worker who found a contract job at Diebold's Atlanta warehouse in the summer before the midterm election. Behler, a friendly fellow in his 30s who speaks with a disarming Southern drawl, paints a disastrously unflattering picture of the company that provided his state with its voting equipment. He told Harris that his time at Diebold was marked by confusion and chaos, a month of 16-hour days in which he did nothing but fix broken machines, broken management techniques, and deal with incompetent people.

On his first day on the job, Behler, who had never worked on election systems before, was promoted to a manager's position and put in charge of the team assembling, testing and deploying all of the voting machines in the state. He says that when he checked the machines that employees had been assembling for months, he discovered that large numbers of them were defective.

During the few weeks that followed, Behler spent his time fixing the machines. He says that each time he discovered a new problem with the systems, he would call up the tech experts at Diebold, and they would determine a way to fix it. The programmers would put a file on the company server -- a file like rob-georgia.zip -- and Behler would download it to his laptop, store it on a memory card, then install the memory card on the touch-screen machines. The process steered clear of any certification authorities; no independent body was checking to see what was being installed on the system.

Indeed, Behler remembers a conference call with Diebold executives in which they specifically discussed what to tell Georgia authorities if Diebold engineers were caught installing software on the machines. "Can't we just tell them we're updating?" Behler wondered in the meeting. "They're like, 'No, no, no, no, no, you can't do that. It has to be certified.' And I say, 'Oh? So we don't want them to know that we're fixing a problem?' So I was like, 'OK -- we can tell them that we're doing a quality check and that we're making sure that they're all the same.' And that's exactly what we did."

Mark Radke of Diebold says, "All I can tell you about these situations is that before the units are deployed they are fully tested, and that final testing was proof-positive about how those units were going to function."

The Georgia secretary of state's office dismisses most of Behler's claims. Chris Riggall, press secretary to Cathy Cox, the secretary of state, says that at some point before the 2002 election, Diebold did discover that Windows CE, the version of the Microsoft Windows operating system that runs on the touch-screen machines, needed to be upgraded. But this was a one-time fix that Cox was fully aware of, he said. This fix was not formally certified by state and federal testing authorities, as Georgia law requires. But Riggall says that the state's testing experts determined that because the upgrade was only to the Windows operating system and not to the other software in the touch-screen machine, it did not need to be certified. The election was fast approaching, Riggall said, and there simply was no time for certification. Doing it this way was "not our preferred best option," he wrote in an e-mail, "but nevertheless justifiable under the circumstances." As for Behler's claim that the software was downloaded from Diebold's publicly accessible server, Riggall says that's not true. "No, we never used that site during any aspect of the 2002 elections."

Behler, who has seven children, is an arch-conservative. One night this fall, standing outside his five-bedroom house in one of Atlanta's affluent northern suburbs, he described his politics in detail -- why he favored the ban on late-term abortions, why he considers the minimum wage a foolish idea, why he prefers George W. Bush to Bill Clinton, and why, despite what he knows of working at Diebold, he does not believe that the 2002 election in his state was rigged. For one thing, he doesn't consider the GOP's wins very surprising; to him, the Republicans running that year were fine candidates. But he does believe the Diebold flaws are an open invitation to election mischief.

The transition to touch-screen machines in Georgia was proposed and championed by Democrats, and the state's elected Democrats remain the machines' fiercest defenders. It is an irony of this story, then, that while Roxanne Jekot and her friends claim that Republicans rigged the 2002 election, it is for Democrats -- or, for one Democrat in particular, Georgia's secretary of state, Cathy Cox -- that they reserve their contempt. Cox, a former journalist and attorney who was first elected to office in 1998, is the nation's leading proponent of electronic voting systems. After the 2000 election, Cox grasped, long before her peers in other states, that electronic voting would be the future of elections. It was a future that she was determined to bring to her state.

Georgia has 159 counties, more than any state except Texas, and, before the new machines were installed, there were nearly as many different voting systems in use -- old-school lever machines (which also produce no paper trail), punch-card machines, and optical scan systems (which use SAT-style fill-in-the-bubble ballots), all of varying makes and models. Shortly after the 2000 election, Cox commissioned a study on the accuracy of these systems, looking at one measure in particular, the presidential-race undervote. (The undervote in a given race is the number of ballots on which voters failed to register any choice for a candidate.) Cox found that the highest undervote rates occurred in neighborhoods where there were large groups of minorities.

In a sample of predominantly black precincts Cox examined, for instance, she found that the undervote was an alarming 8.1 percent. What was mysterious was that optical scan voting systems -- which are really the only alternative to touch-screen machines still available for sale -- did not seem to greatly improve the undervote rate among minorities. While the undervote rate on optical scan machines in white neighborhoods was just 2.2 percent, in black neighborhoods it was 7.6 percent. The situation in Georgia was so obviously discriminatory that in 2001, the ACLU sued Cox to force her to upgrade the state's elections systems. Cox says that she chose touch-screen systems because, among other attributes, they had the best chance of reducing the undervote. She was right: In the 2002 election, using the new machines, the undervote rate in Georgia was less than 1 percent.

In the online forums where voting-machine critics assert that Republicans fixed the 2002 election in Georgia, it's often said that the results in the state surprised everybody. This isn't exactly the case. The Senate race, which pitted the incumbent Democrat Max Cleland against Saxby Chambliss, a Republican, was widely considered a tossup by Election Day.

The big surprise, perhaps the largest upset anywhere in the country that night, was in the governor's race. Roy Barnes had been all but assured a win. He had everything on his side, including money (Barnes outspent Sonny Perdue by a margin of 6 to 1), history (Georgia is the only state in the nation that did not elect a Republican governor in all of the 20th century) and a commanding lead in the polls.

But when Barnes eventually lost (with 46 percent to Perdue's 51 percent), his campaign did not suspect the voting machines, not even for a second. According to Bobby Kahn, Barnes' chief of staff and an old-time political hand in Georgia, there was an obvious political reason for the defeat -- the Confederate flag. In an e-mail, Roy Barnes wrote that "you will see that the dominant factor in my defeat in 2002 was anger over my actions in changing the Georgia flag to reduce the size of the Confederate battle emblem. I knew from my travels around the state that there was a lot of anger over the change -- I had believed, or at least hoped, I could overcome the anger, but I couldn't." Voter turnout among white Georgians in 2002 was unexpectedly high, much higher than in the 1998 race.

In his office this fall, Chris Riggall, Cox's press secretary, said that many of the computer scientists who have questioned electronic voting systems have little firsthand experience in elections, and are therefore unqualified to judge a voting system's security. And those who say there was something amiss with the 2002 election don't have a clue about how politics works in Georgia, he said. "When I see the Independent" -- the London newspaper -- "saying the only way Max Cleland could have lost was because of the voting machines, I have to laugh. What in the hell do you know about Georgia political history? The last time he won with [just] 30,000 votes!"

"Our system is not perfect," says Riggall. "Our system is vulnerable, but we believe it's less so than all of the alternatives. So our frustration is the lack of context, perspective and knowledge of what happens in Georgia."

But the movement to challenge electronic voting is not confined to Georgia, or to those who worry about the 2002 election results. David Dill, a computer scientist at Stanford University, has been among the one or two activists most responsible for the shift. Dill says that when he first heard that systems were being installed in Georgia and in some of California's largest counties -- including his own, Santa Clara -- he initially figured "that somebody was minding the store and making sure that the equipment is somehow trustworthy."

Then he did some research into how the systems were designed and implemented, and "I began to feel that maybe that wasn't true," he says. Dill says that he was particularly annoyed that election officials seemed to ignore the concerns of computer security experts, who've warned of the dangers of electronic voting for decades. So early in 2003, Dill posted a petition online demanding that all computerized voting equipment produce what he called a "voter-verifiable audit trail."

The audit trail (an idea that was first developed by Rebecca Mercuri, a computer scientist who has long studied the voting systems and is now a research fellow studying transparency in computational systems at Harvard's Kennedy School) works as follows: When a voter casts a ballot on a touch-screen machine, she'll be presented with a paper version of her votes to look over. Once she approves this paper ballot, it becomes the official record of her vote (she is not allowed to remove the paper ballot from the voting precinct). If there is a question about the accuracy of the electronic count, election officials would be required to manually count the paper ballots; if there's a discrepancy between the two counts, the manual count would be considered the official result of the election. Thousands of computer scientists have signed Dill's demand; attaining it nationally has become the paramount goal for the critics of the touch-screen systems.

"It's not just one computer scientist whining about this," Dill says. "It's a lot of very reputable people who are willing to say that as far as they can see this voter-verifiable audit trail idea is the only way you can conceive the necessary level of confidence in the equipment."

Kevin Shelley's decision, in late November, to require a paper trail in California's electronic voting machines was gutsy -- and some say precipitous. No paper-equipped touch-screen system has ever been used in a real election in the state, and a few election experts have expressed serious concerns about the viability of such a machine. Ted Selker, a computer scientist at MIT who has studied election procedures, fears that the paper trail would be prone to accidents and attacks: Paper ballots are tricky to count accurately by machine, are almost impossible and time-consuming to count by hand, and, of course, they can easily be tampered with. It's not clear how the paper ballots would be made accessible to the blind, either, and nobody knows how much upgrading to the paper system would cost. Selker, who worked on a landmark study of the 2000 election, says that millions of votes each year are lost because of faulty registration databases, flawed ballot design, and poorly trained poll workers. Spending money on a paper trail rather than to fix these known problems, he says, is a waste.

Officials in Shelley's office acknowledge the concerns with paper, but they insist that voting firms will overcome them. Most major voting companies, including Diebold, already say they can build systems that include a paper trail. "Our perspective is that voter confidence is paramount in terms of the election process," Tony Miller, an attorney in Shelley's office, says. "Even if this costs a few thousand dollars, the cost of democracy is not necessarily cheap and it shouldn't be the determining factor."

David Dill describes Shelley's decision as "the biggest breakthrough that the paper trail movement has had to date," and he says that he's certain "it will affect the attitude of people in other states." He was right: In December, Nevada also acted to require paper receipts. Dill also has high hopes for the Voter Confidence and Increased Accessibility Act of 2003, a bill introduced in Congress by Rep. Rush Holt, a New Jersey Democrat, which would require a paper trail nationally. Three Democrats in the Senate -- Barbara Boxer, Hillary Clinton and Bob Graham -- have each proposed companion legislation.

But officials who've already invested in paperless machines will have a hard time joining the paper-trail bandwagon. In Georgia, for instance, Cathy Cox is sticking by her decision. In a speech to the state's political scientists in November, she assailed the critics who've lately attacked touch-screen voting systems, saying they "approach the issue of election technology as if on a mission to save humanity from the scourge of a worldwide conspiracy." But Cox, it should be noted, is massively invested in the reliability of the Diebold systems she purchased, having staked her political career -- and the millions it cost to purchase them -- on the new system.

The people who insist that Georgia's 2002 election was stolen may well be wrong. But the attention that they are focusing on voting machines is anything but misplaced. An election has to be above suspicion, even above the suspicion of some of the most suspicious people in a democracy. Says California's Tony Miller: "If people don't have confidence in the voting systems being used, then they lose faith in the voting process itself."

salon.com