Two counties in Florida have terminated their use of Diebold computerized voting equipment after computer experts showed that vote totals could be changed by a single individual in a way that would be undetectable later.
The county commission of Leon County, which includes Tallahassee, voted on Dec. 13 to scrap its Diebold equipment and switch to a different manufacturer, at an estimated cost of $1.3 million. Three days later, the county council of Volusia County (Daytona Beach) approved a similar change. The switch will cost that jurisdiction at least $2.5 million, county officials said.
These actions, and the events that led up to them, can teach us a great deal about our dependence on computer procedures that are developed by flawed human beings.
It's not just elections, of course, that are affected by programming errors and poorly understood code. Imagine your company purchasing a large development project from an outside firm. If that firm overcharges you, and you dispute the bill, can your mission-critical software be disabled at the push of a button by its developers until you pay up? It's a good idea to ask these questions before you invest your money in computerized solutions.
Testing the Vote-Counting Equipment
The revelations in the Florida counties were engineered by Herbert Thompson, a computer science professor at the Florida Institute of Technology, and Harri Hursti, a programmer who lives in Finland. They examined optical-scan ballot counting equipment purchased by Leon County from Diebold Inc., a major maker of ATM and election equipment. The technicians were introduced to county supervisor of elections Ion Sancho by BlackBoxVoting.org (BBV), a nonprofit organization that critiques computerized voting.
Under Sancho's watchful eye, the computer experts ran the following demonstration, according to a BBV report.
Initializing the counter. A Diebold-specified memory card, a device about the size of a credit card, was inserted into the optical-scan counting machine to initialize it. As is the case before every election, a "zero report" was run, showing that zero votes were recorded in each race.
Inserting the ballots. Sancho and others marked optical-scan ballots by filling in circles on the printed cards. These forms were then inserted into the counter, as voters normally do after marking their ballots. The totals, counted by witnesses before the insertion, were Yes 2, No 6.
Tabulating the vote. The totals tallied by the vote counter, however, were Yes 7, No 1. In addition, the totals accepted from the counter by the central tabulator, also made by Diebold, showed Yes 7, No 1. No alerts had been sounded by either machine.
How was the count changed? Hursti had added data to the memory card prior to its insertion. This subtracted votes from one position and added them to the other. The same change could be made by almost any dishonest election official, Hursti explained, without the need for any password or much specialized knowledge. Yet the tampering "will not be detected in any normal canvassing procedure," he said. A recount using the same memory card would deliver the same results.
How the Winning Candidate "Rolls Over" the Loser
In a PDF report released in July 2005, Hursti said the Diebold memory cards can hold "an executable program which acts on the vote data." In a well-designed election system, by contrast, the vote counting mechanism should contain only "the ballot design and the race definitions." In other words, initializing a counting machine should install only a list of the candidates and ballot measures to be tallied in each race.
In his report, Hursti indicates that the vote-changing trick can be accomplished using plain old integer math. The Diebold election machines are designed to count each position's votes up to 65,535, which is 1 less than a power of 2. When 1 more vote is counted, the tally "rolls over" to 0. The following vote brings the total to 1, and so forth.
The Diebold equipment, Hursti explains, can be secretly initialized so that Candidate A starts with 65,511 votes -- which is the same as minus 25 -- while Candidate B starts with +25. The "zero report" would blithely show 0 votes for each candidate. After more than 25 votes have been cast for Candidate A, there would be no indication that any tampering had occurred.
Let's say the exact same number of voters happen to cast ballots for each candidate. Congratulations, Candidate B -- you appear to have won by 50 votes. Multiply this by thousands of precincts in a state, all using identical memory cards, and you're talkin' real results.
Accomplishing the Trick in Actual Elections
Diebold, based in North Canton, Ohio, will not comment specifically on the rejection of its equipment by Leon County. But the manufacturer has sent a letter to county officials saying their testing was "a very foolish and irresponsible act" and may have violated the company's licensing agreements, according to a Dec. 15 Associated Press report.
In a development that may or may not be election-related, long-time Diebold chairman and CEO Walden O'Dell resigned for "personal reasons," effective immediately, according to a company press release dated Dec. 12. In September, Diebold was forced to pay California a fine of $2.6 million for installing uncertified software into the state's voting machines. The company's stock plunged more than 15 percent.
Unfortunately for voters, the trick demonstrated on Diebold's equipment by Hursti may very well have already been used in real elections:
Partisan access. Several election officials have access to memory cards prior to elections. These officials tend not to be neutral. They're usually high-level partisans in the Democratic or Republican Party. For example, Diebold memory cards became an issue in Ohio after the 2004 Presidential election. Secretary of State Kenneth Blackwell ordered the cards and other election records sealed from public inspection until after the state's electors were sworn in, according to a Dayton Daily News article.
Mysterious miscounts. In one incident that was widely reported in Florida after the 2000 Presidential election, a Volusia County precinct showed a final count of negative 16,000 votes for the Democratic candidate, Al Gore. The error was resolved by making a hand count of the ballots. But Leon County's Sancho now believes the "mistake" is evidence of a real fraud attempt that failed only due to sloppiness. "Someone with access to the vote center in Volusia County put it on a memory card and uploaded it into the main system," the election supervisor told Orlando's WESH-TV News in an interview.
Impossible recounts. The recount in Volusia County was possible because the actual voting records had been preserved. But that isn't possible in a growing number of U.S. counties. In Florida, about half the state's voters now use touch-screen equipment with no paper ballot and no record of the votes other than a memory card, according to a Dec. 17 Miami Herald article. In addition, the Florida Legislature passed election laws in 2001 eliminating recount requirements for touch-screens and not requiring a paper audit trail, according to Law.com.
How Not to Write Code
Trustworthy vote counting is not a Republican or a Democratic issue. It's essential to any free country. The sloppy code and ludicrous back doors found in some computerized election equipment should be a wake-up call for all Americans -- and an object lesson to businesses everywhere in how not to outsource programming.
I wrote on April 5, 2005, that computer scientists had determined that the reported 2004 election totals in some states, including Ohio, were simply impossible to reconcile with scientifically valid exit polls taken the same day. That article became the top story at Daily Kos, America's most widely read political blog, and others.
Unfortunately, we're going to see a lot more stories like this about election fraud, and it won't be good news. It's bad for democracy and it brings shame on computer professionals who should be exposing these shoddy systems, not programming them.
With everything I've learned in my life about computers, I don't want any votes disappearing into a shiny metal box or an ephemeral memory card. The only way an election can be fair is when tangible, paper ballots are marked by hand by actual voters (with alternate provisions for disabled voters). You can tabulate the votes using any machine you want, as long as the paper ballots can be recounted as the final word.
An Executive Tech update
A spokesman for the Ohio Secretary of State e-mailed me comments on the
above article on Dec. 21. His remarks and my response are in my
Jan. 3, 2006, column.
Executive Tech Takes Off
The Executive Tech column will enjoy a holiday break later this month, as will its readers, hopefully. The next installment will appear on Jan. 3, 2006.