As I See It: Trust but Verify: Computer Science and Democracy

Some years ago, I traveled to Taiwan on business. One evening I was eating dinner in a small town that boasted having a single stoplight. The restaurant was near the controlled intersection, and I couldn’t help but notice that everyone pretty much disregarded the light and drove through it as if it wasn’t there. “Why do they ignore it?” I asked my Chinese translator. “Ah,” replied the man, “the light has only been installed for a few years, and no one trusts it yet.”

In a culture that spans thousands of years, in which the word “enduring” is measured in centuries rather than hit records, suspicion is, I suppose, a reasonable response to new, unproven technology.

We, on the other hand, trust our technology with an unquestioning faith that ministers would envy. Without much thought, we set off across the desert trusting our car will get us to the next city in air-conditioned comfort. We trust our airplanes not to fall from the sky. We trust life-support machines will keep our loved ones breathing and administer the right amount of medication, at the right time. We trust the lights will come on when we flip the switch, that hot water will flow from the tap, and that a sequence of numbers we press on a hand-held device will connect us to our desired party. And since much of our technology is computer-controlled, we put great stock in computing technology. Above all, we trust the information computers provide us.

But what if that trust were misplaced?

In a little over a month, computers may decide the outcome of a decision that is vitally important not only to our nation, but to the world. Automated voting machines are predicted to tally the presidential preferences of up to 61 million people. But can they be trusted? In November of 2002, computerized voting machines in Texas tallied three separate races and gave each of the winning candidates an identical number of votes: 18,181. Perhaps if coincidence were made of spandex it could stretch that far, otherwise a healthy skepticism is in order. However, officials in Texas saw the tally as merely coincidental and did not order an audit. In any event, it’s not clear that an audit could have even been performed, since these machines provide no paper trail.

Nor is that the only instance of voting machine error. Investigative journalist Bev Harris began researching voting machines in 2002 after the Alabama governor’s race was suspiciously overturned. “Six thousand three hundred Baldwin County electronic votes mysteriously disappeared after the polls had closed and everyone had gone home. Democrat Don Siegelman’s victory was handed to Republican Bob Riley, and the recount Siegelman requested was denied.” The makers of the voting machines, Election Systems and Software (ES&S), shrugged off any responsibility. Harris reports that Mark Kelley of ES&S offered the following extraordinary explanation: “Something happened. I don’t have enough intelligence to say exactly what.”

Gee, I guess that should make us all feel better.

If these had been isolated events, perhaps they could be overlooked, but Harris found 56 documented cases “in which voting machines got it wrong.”

In North Carolina, a programming error caused machines to skip several thousand votes. Fixing the error turned up 5,500 more votes and reversed the election for state representative.

In Gretna, Nebraska, voting machines failed to tally the “yes” votes on a school bond measure. The measure was thought to have overwhelmingly failed, while it actually had passed by a 2-1 margin.

In Orange County, California, a programming error reversed the “yes” and “no” buckets used to count votes. Consequently, the computer was 100 percent wrong.

In Clay County, Kansas, voting machines indicated the losing commissioner received 48 percent of the vote, while a manual recount revealed he had actually won the election with a whopping 76 percent of the vote total.

It doesn’t matter if you’re a Democrat or a Republican, such failures are of bipartisan concern. At best they exemplify a misguided trust that would leave elections to the vicissitudes of error-prone voting machines; at worst they’re a deliberate attempt to highjack our democracy, and every citizen regardless of political affiliation has a right to be concerned.

As IT professionals, many of us work, or have worked, on accounting systems where the first design specification is the establishment of an audit trail. Every transaction must be verifiable and duplicatable. We would not think of writing an accounts payable system without audit controls, yet we are being asked to accept the results of national elections on faith. We don’t even know if the errors are accidental, deliberate, or a skillful combination of both? Have the machines been compromised, and just how secure are they? Until recently, it was impossible to know because the major suppliers of computerized voting machines steadfastly refused to reveal the inner workings of their systems.

In response, the IT community stepped up its public expression of concern about the fallibility of voting machines and the unreasonable levels of secrecy surrounding them. David Dill, professor of computer science at Stanford, and Peter Neumann, chief scientist at Stanford Research Institute, have testified at a number of hearings that machines which do not produce a voter-verifiable audit trail cannot be made secure. Dill’s investigation into the issue resulted in a “Resolution on Electronic Voting” which, according to Doug Pibel writing in Yes, “calls for a moratorium on any voting system that does not provide a tangible record for the voter to examine before leaving the voting booth.” The resolution has been endorsed by over 600 computer professionals.

As for secrecy, Ronnie Dugger, in a recent article in The Nation, quotes Dill as lamenting: “Why am I always being asked to prove these systems aren’t secure? The burden of proof ought to be on the vendor. You ask about the hardware. ‘Secret.’ The software? ‘Secret.’ What’s the cryptography? ‘Can’t tell you because that’ll compromise the secrecy of the machines.’ Federal testing procedures? ‘Secret.’ Results of the tests? ‘Secret.’ Basically we’re required to have blind faith.”

But blind faith didn’t cut it with another segment of the IT community: hackers. Harris and her colleagues decided to test the security of one of the largest voting system providers. What they found isn’t encouraging.

“Diebold Election Systems had been storing 40,000 of its files on an open [unprotected] Web site, an obscure site, never revealed to public interest groups, but generally known among election industry insiders, and available to any hacker with a laptop . . . The contents of these files amounted to a virtual handbook for vote-tampering: They contained diagrams of remote communications setups, passwords, encryption keys, source code, user manuals, testing protocols, and simulators, as well as files loaded with votes and voting machine software.” So much for claims of security.

But not only did Harris find that tampering was possible, she found evidence that–not unlike those who practice accounting fraud and keep multiple sets of books–Diebold keeps multiple sets of voting records. Here’s how the unpublicized part of the system works:

“Voters vote at the precinct, running their ballot through an optical scan, or entering their vote on a touch screen. After the polls close, poll workers transmit the votes that have been accumulated to the county office. They do this by modem. At the county office, there is a ‘host computer’ with a program on it called GEMS. GEMS receives the incoming votes and stores them in a ledger. But in the files we examined, which were created by Diebold employees and/or county officials, we learned that the Diebold program used another set of books with a copy of what is in vote ledger 1. And at the same time, it made yet a third vote ledger with another copy. Apparently, the Elections Supervisor never sees these three sets of books. All she sees is the reports she can run: Election summary (totals, county wide) or a detail report (totals for each precinct). She has no way of knowing that her GEMS program is using multiple sets of books, because the GEMS interface draws its data from an Access database, which is hidden. And here is what is quite odd: On the programs we tested, the Election summary (totals, county wide) come from vote ledger 2 instead of vote ledger 1, and ledger 2 can be altered so it may or may not match ledger 1.”

Don’t you love hackers?

If scientists, journalists, and hackers are defending democracy, then it’s in competent hands. Recently, though, election officials openly joined the fray. California’s Secretary of State banned Diebold voting machines from four counties, accusing Diebold officials of lying and misconduct after machines using uncertified, illegal software disenfranchised thousands of voters. The state’s Attorney General is now suing Diebold. In Florida, officials became suspicious when voter counts kept by poll workers showed 713 voters had cast ballots, and voting machines tallied 749 voters. Their complaints were dismissed because the machines were operating within an “acceptable” 10 percent margin of error. Acceptable to whom? As Shakespeare might have said, Something’s rotten in Diebold.

It was Ronald Reagan who admonished that we should “trust but verify.” It was a reasonable caution then, and it’s a reasonable caution now. If we fail to heed it, we will, by default, be at the mercy of a very different philosophy voiced by a very different man; a man who knew a thing or two about ignoring the will of the people and holding on to the reigns of power at any cost; a man whose contempt and disdain for the electoral process serves as a timely warning: “Those who cast the votes decide nothing, those who count the votes decide everything.”

That man was Joseph Stalin.