After hearing a lot of agitation over the insecurity of electronic voting systems from people whom I consider to be Information Technology Luddites, I decided to sign up as a voting machine support technician in Montgomery County, Maryland for the primary election in March of 2004. This article reflects my experiences in that activity and demonstrates that much of the furor largely misses the mark.
Some computer scientists have been having a field day exploring the ways of modern electronic voting machines, especially those made by Diebold Election Systems. Dr. Avi Rubin of Johns Hopkins University’s Information Security Institute has been particularly active in publishing in this field. Dr. Rubin has a web site at:
that details many of his ideas. The occasional consulting contract and publication have undoubtedly been good leavening for these folks.
The early work in this area conjured up a number of scenarios by which the machines could be compromised. This has led to a movement that would allow each voter in an election to view a paper record that the voter could use to affirm that the ballot that they cast properly reflects their wishes. David Pogue’s “Reconsidering Electronic Voting” column of July 15th, 2004 examines some, but by no means all, of the issues. Providing voter-verifiable paper receipts (VPRs) would require massive reengineering and remanufacturing of machinery, since Diebold alone has more than 75,000 units in the field.
Ignoring for the moment the question of whether VPRs actually address the problems, let’s turn our attention to the hacker scenarios. Forging the “smart cards” that the voter uses to authenticate access to the machine is perhaps the most plausible method, but even if a smart card could be forged, anyone trying to vote multiple times would be easily observed by the polling place workers. There is also a safeguard in which a running tally is kept on a separate sheet of paper to determine how many ballots have been cast at each voting station.
The other methods would require insider access to the machines and the software. Given the number of machines that would have to be compromised and the complications of accessing them and tampering with them, this could only be accomplished by a massive conspiracy.
Of course, the most serious flaw is that the operating system for these terminals is a variant of Windows, which means that they dare not be connected to the Internet. The data is stored on a PCMCIA card that is removed from the machine that wrote it to a master machine that tallies the results and uploads them via a dialup connection to the central tabulating facility.
My concerns focus on far simpler matters. The machines are poorly engineered from the mechanical and electrical standpoint. Each machine weighs 60 or more lbs. It sits on four spindly telescoping legs resembling those of a cheap camera tripod. This does not provide a stable platform for inserting the smart card or pushing the touch screen, especially for people who may be a little over energetic about these matters.
The machines come on rolling carts, 10 machines to a cart. The machines have to be unpacked and set up the night before the election in order to be sure that their batteries are charged for use the next day. Each machine has a small plastic seal that has to be broken in order to open the case and erect the screen. Unfortunately the only indications that the machine is properly powered up are hidden when the lid is shut. There is not so much as a glowing LED to indicate that the machine is charging its battery.
The poll workers have from 6 am to 7 am on the morning of the election to go through an elaborate sequence of steps required to open the polls. The process is further complicated by the fact that a Democrat and a Republican Chief Judge must oversee and sign off on each step. The schedule for this is brutal. One product of this process is a set of printed tapes that show the starting vote count in each voting terminal.
During the day the election judges have ample opportunity to watch voters and to see that they are following proper procedures. As each voter departs the booth, a check mark is added to the tally for that booth, thus ensuring a record of the number of people who voted from that terminal. The idea that someone could alter a smart card or forge one and bring it into the voting place is fanciful.
The biggest fiasco in my experience as a voting machine technician occurred at the end of the day. It was necessary to “close” the election on each terminal and get the results back to the central tabulating station in 45 minutes. Given the complexity of the procedures, this was unrealistic to begin with. Tamper tape seals had to be examined, signed for, and logged. Two copies of the tallies had to run on the thermal printers in each terminal. These had to be snipped out, examined, signed, and packaged for shipment. PCMCIA cards had to be removed for uploading to the master station. This put a lot of pressure on people who, to put it mildly, had outgrown that sort of thing.
The first card, the one in the master machine, seemed to tally OK. The second one to be inserted yielded a message “Card unreadable, do you want to reformat the card?” My response was naturally “No.” Ok, maybe that was one bad card. When the same thing repeated itself with the third and fourth cards, I got the chief judge to call the support center. “Pack it up and ship it in.” was the reply.
Now the paper tapes looked fine and could undoubtedly be used to provide an accurate tally, but this was a disconcerting experience nonetheless.
The “computer scientists” (I have always maintained that “Computer Science” is an oxymoron and that this activity is instead a branch of witchcraft rather than a scientific discipline) had evidently not foreseen anything as simple as mechanical or electronic failure. Murphy’s law, however, tells us that “Anything That Can Go Wrong Will Go Wrong.”
It seems to me that the ballot box that Jon Thomason set up for the recent Pi election overcomes many of the objections to the Diebold systems. It would be a lot cheaper and much more manageable to set up a polling place with a pair of PowerBooks as redundant Web servers and have them serve a collection of 3COM Audrey terminals with software burnt into CompactFlash memory cards. Each Audrey has two USB ports; one could serve the Ethernet connection and the other a very cheap printer.
The whole kit for 20 or so terminals could be stowed in a fat suitcase with rollers. A secure, encrypted Internet connection could be used to upload results to the tabulating site. Of course, such a simple Open Source solution would deprive certain well-connected contractors of access to the public purse and is therefore unlikely to see the light of day.
Meanwhile the public can carry on with all of its paranoid fantasies about elections being stolen without ever knowing the real truth. I look forward to Election Day 2004. Primary Day 2004 was nowhere near a real taste of what chaos could reign when the system gets really stressed.