This Fall’s U.S. Presidential elections could be stolen by one person – not Democratic candidate Barack Obama or Republican candidate John McCain – but by a rogue programmer writing code for one of the many electronic voting machines used, experts say.
After the 2000 election dispute in Florida forever ingrained the term “hanging chad” in the public consciousness, the U.S. began funding user-friendly e-voting systems.
Many researchers now say Al Gore should have won that election by a wide margin over George W. Bush, and blame a confusing ballot system for the error.
But the solution may leave the country no better off, according to experts with A Center for Correct, Usable, Reliable, Auditable and Transparent Elections (ACCURATE). The centre was created in 2005 with a $7.5 million grant from the National Science Foundation as part of a program to bolster the nation’s computers against attack.
“One programmer could make a change in the software that would affect 100,000 votes,” says David Dill, an investigator with ACCURATE. “That’s a one-attacker team.”
E-voting systems in States such as Georgia and Maryland have been used since the 2006 House and Senate elections. A 2002 federal act titled “Help America Vote” provided funding to replace traditional voting methods with direct-recording electronic systems.
The aim was to make voting easier. In a country where voters choose everyone from the president to the postman, ballots can become confusing quickly, and it is not always clear how many names a voter should be checking.
Al Gore lost 2,000 voters to Pat Buchanan because of the butterfly ballot format used in Florida, researcher J.N. Wand says. That alone would have been enough to win the election, but another researcher estimates Gore would have won by 30,000 votes if voters had been warned about the possibility of voiding their ballots by selecting too many names in certain sections.
“When the entire country is voting on a single day, it’s a challenge,” says Avi Rubin, director of ACCURATE and professor of computer at Johns Hopkins University in Baltimore, Md. “I don’t think we should go back to punch cards.”
But Rubin does want to steer away from direct-recording machines. The main problem is that they can’t be audited, he explains. “The concern I have is that the machines might produce the wrong results without us even knowing it. If they were rigged, we’d never know it.”
Also working as a poll clerk in the upcoming Fall elections, Rubin writes on his blog about his training session. Ironically, he says, the anonymous paper survey he used to evaluate the training session was a more secure system than the Diebold Accuvote machines that will be used to register votes in Maryland for the next U.S. President.
“I’ve looked at the Diebold system, and there’s been several studies done on them that’s shown viruses could be put in them to change votes,” he says. “My survey was done on paper, so you’d have to put in a lot more effort to change the vote.”
Diebold voting machines have been used since the 2004 elections in many States including Florida and Ohio. Other machines, or paper balloting are used across the U.S.
Unlike Canada, where a national body determines how voting is conducted, in the U.S., the voting method is decided at the state or even the county level.
“There’s a disadvantage in having a universal system,” Rubin says. “If there’s a problem with the system, the problem is everywhere.”
Rubin formed ACCURATE with 10 other researchers who were working on voting independently. The group uses graduate students, computer scientists, a psychologist, and a lawyer to find better technologies that can be used for voting.
The centre has been developing AttackDog, an open source threat modelling system that can assess the security of a system for voting or otherwise. The program uses a method commonly used in computer science to analyze potential flaws, Dill says.
“You start with the notion you have an attacker with the goal of stealing the election,” the program’s author says. “Then you build an attack tree showing all the different problem sets that would need to be solved by the attacker.”
Election officials could one day use the software to enter in all the steps involved in their system, and AttackDog calculates all the possible iterations of steps that would need to be taken to alter the election system. Then the level of security is rated based on the number of people needed to steal an election.
“We figure the more people you have involved, the more likely it is they’ll reveal the election is being stolen,” Dill says. “Either they spill the beans or they’ll slip up and make an error.”
AttackDog isn’t publicly available yet. But ACCURATE is working with election officials in Leon County, Fla. to analyze security measures. Apart from this, the program won’t have an impact this Fall’s elections.
But the group hopes to make a bigger impact with each passing election and create a permanent solution that would ensure American votes being counted properly, Rubin says.
The main way to achieve that is to have laws that require e-voting machines produce a paper trail that can be re-counted, Rubin adds. He helped pen such a bill in Maryland that will require such systems by 2010.
“A touch screen could be used to register the vote and then print a paper ballot,” the centre’s director says. “Then you capture that voter intent with an optical scan of the ballot.”
Such a system would combine the best of both worlds, Rubin says. Technology would aid users in voting properly, but a paper trail would exist if there were any doubts surrounding the result of the vote.
E-voting in Canada
Canada never had an election with hanging chads creating problems, and hasn’t pursued funding of e-voting systems as enthusiastically as the U.S.
But Elections Canada is looking at e-voting to improve access to voting. “Various forms of technology-assisted registration and voting are already in use in a number of jurisdictions, both in Canada and around the world,” the Election Canada Web site states.
Elections held in St. John, N.B. used electronic methods to tabulate votes, not to receive them from voters, according to a spokesperson with the federal agency.
A pilot phase for an e-voting test in a by-election could happen within the next five years, but would need Parliamentary approval first.