Must read: Ronnie Dugger: How They Could Steal the Election This Time

(Nation) ~Ronnie Dugger, founding editor of The Texas Observer and co-founder of the Alliance for Democracy, has written biographies of Lyndon Johnson and Ronald Reagan, as well as other books, and hundreds of articles for Harper's Magazine, The Nation, The New Yorker, The Atlantic Monthly, The Progressive and other periodicals.

"On November 2 millions of Americans will cast their votes for President in computerized voting systems that can be rigged by corporate or local-election insiders. Some 98 million citizens, five out of every six of the roughly 115 million who will go to the polls, will consign their votes into computers that unidentified computer programmers, working in the main for four private corporations and the officials of 10,500 election jurisdictions, could program to invisibly falsify the outcomes.
The result could be the failure of an American presidential election and its collapse into suspicions, accusations and a civic fury that will make Florida 2000 seem like a family spat in the kitchen. Robert Reich, Bill Clinton's Labor Secretary, has written, "Automated voting machines will be easily rigged, with no paper trails to document abuses." Senator John Kerry told Florida Democrats last March, "I don't think we ought to have any vote cast in America that cannot be traced and properly recounted." Pointing out in a recent speech at the NAACP convention that "a million African-Americans were disenfranchised in the last election," Kerry says his campaign is readying 2,000 lawyers to "challenge any place in America where you cannot trace the vote and count the votes" [see Greg Palast, "Vanishing Votes," May 17].
The potential for fraud and error is daunting. About 61 million of the votes in November, more than half the total, will be counted in the computers of one company, the privately held Election Systems and Software (ES&S) of Omaha, Nebraska. Altogether, nearly 100 million votes will be counted in computers provided and programmed by ES&S and three other private corporations: British-owned Sequoia Voting Systems of Oakland, California, whose touch-screen voting equipment was rejected as insecure against fraud by New York City in the 1990s; the Republican-identified company Diebold Election Systems of McKinney, Texas, whose machines malfunctioned this year in a California election; and Hart InterCivic of Austin, one of whose principal investors is Tom Hicks, who helped make George W. Bush a millionaire.
About a third of the votes, 36 million, will be tabulated completely inside the new paperless, direct-recording-electronic (DRE) voting systems, on which you vote directly on a touch-screen. Unlike receipted transactions at the neighborhood ATM, however, you get no paper record of your vote. Since, as a government expert says, "the ballot is embedded in the voting equipment," there is no voter-marked paper ballot to be counted or recounted. Voting on the DRE, you never know, despite what the touch-screen says, whether the computer is counting your vote as you think you are casting it or, either by error or fraud, it is giving it to another candidate. No one can tell what a computer does inside itself by looking at it; an election official "can't watch the bits inside," says Dr. Peter Neumann, the principal scientist at the Computer Science Laboratory of SRI International and a world authority on computer-based risks.
The four major election corporations count votes with voting-system source codes. These are kept strictly secret by contract with the local jurisdictions and states using the machines. That secrecy makes it next to impossible for a candidate to examine the source code used to tabulate his or her own contest. In computer jargon a "trapdoor" is an opening in the code through which the program can be corrupted. David Stutsman, an Indiana lawyer whose suits in the 1980s exposed a trapdoor that was being used by the nation's largest election company at that time, puts it well: "The secrecy of the ballot has been turned into the secrecy of the vote count."
According to Dr. David Dill, professor of computer science at Stanford, all elections conducted on DREs "are open to question." Challenging those who belittle the danger of fraud, Dill says that with trillions of dollars at stake in the battle for control of Congress and the presidency, potential attackers who might seek to fix elections include "hackers, candidates, zealots, foreign governments and criminal organizations," and "local officials can't stop it."
Last fall during a public talk on "The Voting Machine War" for advanced computer-science students at Stanford, Dill asked, "Why am I always being asked to prove these systems aren't secure? The burden of proof ought to be on the vendor. You ask about the hardware. 'Secret.' The software? 'Secret.' What's the cryptography? 'Can't tell you because that'll compromise the secrecy of the machines.'... Federal testing procedures? 'Secret'! Results of the tests? 'Secret'! Basically we are required to have blind faith."
The integrity of the vote-counting inside DREs depends on audit logs and reports they print out, but as Neumann says, these are "not real audit trails" because they are themselves riggable. The DREs randomly store three to seven complete sets of alleged duplicates of each voter's ballot, and sets of these images can be printed out after the election and manually counted. The companies claim that satisfies the requirement in the 2002 Help America Vote Act (HAVA) that "a manual audit capacity" must be available. But as informed computer scientists unanimously agree, if the first set of ballot images is corrupted, they all are. I asked Robert Boram, the chief engineer who invented a DRE sold by the RF Shoup voting-systems company, if he could rig his DRE's three sets of ballot images. "Give me a month," he replied.
The United States therefore faces the likelihood that about three out of ten of the votes in the national election this November will be unverifiable, unauditable and unrecountable. The private election companies and local and state election officials, when required to carry out recounts of elections conducted inside the DREs, will order the computers to spit out second printouts of the vote totals and the computers' wholly electronic, fakable "audit trail." The companies and most of the election officials will then tell the voters that the second printouts are "recounts" that prove the vote-counting was "100 percent accurate," even though a second printout is not a recount.
HAVA was supposed to solve election problems revealed in 2000; instead, it has made the situation worse. Under the act the Election Assistance Commission (EAC), appointed by President Bush, is supposed to set standards for the vote-counting process, but four months before the election the new agency had only seven full-time staff members. On June 17 the EAC sent $861 million to twenty-five states, mainly to buy computerized machines for which no new technical standards have been set. Its just-appointed fifteen-member technical standards committee does not include more than one leading critic of computerized vote-counting.
Rather than completely testing the vote-counting codes, there is some secretive testing of systems by three private companies that are chosen by the pro-voting-business National Association of State Election Directors. The companies consult obsolete pro-company and completely voluntary standards promulgated by the Federal Election Commission and get paid by the very companies whose equipment is being tested. The three private companies, speciously called Independent Testing Authorities, together constitute a Potemkin village to falsely assure the states and the voters of the security of the systems. Often their work is misrepresented as "federal testing." The states then test and "certify" the systems, and the local jurisdictions put on dog-and-pony-show "logic and accuracy tests," which are not capable of discovering hidden codes that would change vote totals.
"The system is much more out of control than anyone here may be willing to admit," Dr. Michael Shamos, a computer scientist at Carnegie-Mellon University and for many years an examiner of voting machines for Texas and Pennsylvania, told a House panel on June 24. "There's virtually no control over how software enters a voting machine." Shamos told another House panel on July 20, "There are no adequate standards for voting machines, nor any effective testing protocols."
Hackable computer codes control vote-counting in all three kinds of computerized systems that will be used again in the 2004 elections: the ballotless DREs, on which some 36 million will vote; optical-scan systems that electronically tally paper ballots marked by the voters, on which 40 million people will vote; and punch-card ballots, also tabulated by computerized card-readers, which gained notoriety in 2000 and are still used by 22 million voters. (Another 16 million still vote on the old lever machines, about a million on hand-counted paper ballots.)
Florida 2000 was universally misunderstood and mischaracterized in the press as a crisis of hanging chads on the punch-card ballots. The serious issue, then as now, was embodied in the explicit though all but unreported position that James Baker, George W. Bush's field commander in Florida, staked out to stop the recounting of votes. The computerized vote-counting systems, Baker declared, are "precision machinery" that both count and recount votes more accurately than people do. Now, with Senator Kerry demanding recountability, an ominously intensifying partisan split has developed in Washington over whether to have a voter-verified paper trail and, when necessary, to conduct recounts with it.

Torment in Washington

Though no broad citizens' movement has formed against computerized vote-counting, a nationwide backlash against unverifiable paperless voting has. The paper ballots used in the op-scan and punch-card systems already provide a voter-verified paper audit trail (VVPAT). The principal proposed security safeguard for the DRE system was invented, but not patented, ten years ago by computer scientist Rebecca Mercuri, now a research fellow at Harvard. In her solution, after voters record their choices on the touch-screen, they confirm them on a paper ballot that appears under glass and then push a button to cast the vote, causing the machine to deposit the paper ballot in a box that will hold it for recounting if that is ordered. The printer for the paper ballots for each voting machine should cost about $50; the total add-on could be $300-$600. Many jurisdictions also have the alternative of expanding or acquiring the relatively inexpensive optical-scan systems or other systems already in place that create paper trails.
In the US Senate seven Democrats and the one Independent are co-sponsoring a bill by Senators Bob Graham and Hillary Clinton to require paper trails on DREs by November, with a loophole for jurisdictions whose officials deem it to be technologically impossible. Clinton told the press that without a voter-verified paper trail GOP-leaning corporations might program voting machines to help Republicans steal elections [see sidebar, page 16]. In an interview in his hideaway office in the Capitol, Graham told me that he regards his and Clinton's bill as so obviously needed that it's "a no-brainer." The absence of a paper trail on the DREs could endanger "the legitimacy" of November's election, Graham said.
New Jersey Democrat Rush Holt introduced a House bill more than a year ago requiring a paper trail on DREs. It has 149 co-sponsors, including a few prominent Republicans. Holt says, "The verification has to be something that the voter herself or himself has to do"; without that, "we will never have a truly secure election." Holt's bill has opened up a partisan divide in the House. The chairman of the committee to which his bill is assigned, Ohio Republican Bob Ney, informed Holt that he is against the bill and would not allow a hearing on it. A few days later Graham and Holt wrote their fellow members of Congress that "without an independent, voter-verified paper trail, we will be able only to guess whether votes are accurately counted." Last month Ney relented and scheduled two hearings. Holt plans to offer his bill as an amendment to the Treasury appropriation after Congress returns from its August recess. Graham is still mulling his strategy.
The principal stated objection to a DRE paper trail comes from some spokespersons for the disabled, who characterize it as a step back from the touch-screen's improved accessibility and privacy. Many election officials, whose work paper ballots make both auditable and much more extensive, object variously that the attachment will add costs, that the printers might fail and that paper ballots can be stolen or counterfeited and sometimes produce somewhat different totals.
Leading citizen organizations have been split. Initially the League of Women Voters, concerned to minimize invalidly cast ballots, opposed the paper trail, but there was a revolt in the chapters and a petition for the paper trail was signed by 800 members. At the league's June convention, after a fight led by Barbara Simons, past president of the Association of Computer Machinery, the league switched sides, endorsing voting systems that are "recountable." Common Cause, placing the highest value on insuring that every vote is counted and can be recounted if necessary, has been among the leaders of the fight for the paper trail.

Around the States

Not surprisingly, the starkest resistance to the voter-verified paper trail comes from Florida, where more than half the citizens will have to vote on touch-screen systems in November. The President's brother, Governor Jeb Bush, and Jeb's Secretary of State, Glenda Hood, express unqualified confidence in the trustworthiness of the DRE systems and militantly oppose providing a paper-ballot trail for them. Hood has denied that the electronic voting machines can be tampered with in the software, saying: "The touch-screen machines are not computers. You'd have to go machine by machine, all over the state." A spokeswoman for her says flatly that "a manual recount is unnecessary."
This past spring a powerful state senator proposed to make it illegal to recount votes in the DRE systems, but she backed down when called on it by activists. Then Ed Kast, director of Hood's division of elections, who has since resigned, sought to achieve the same purpose by diktat, issuing a formal ruling that, despite the extant state law requiring recounts under certain circumstances, supervisors of elections do not need to recount DRE ballots. The ACLU and other groups have sued to invalidate that ruling; a spokesperson for the state Republican Party excoriates the suit as a left-wingers' "ploy to undermine voters' confidence."
Representative Robert Wexler, a Democrat from the southern tier of the three big counties on the Atlantic, which for election scandals is to Florida what Cook County is to Illinois, sued state and county election officials in state and federal court to require the VVPAT on DREs. He argues that allowing some voters to have manual recounts but not others violates the Supreme Court decision in Bush v. Gore compelling equal treatment of voters (although the majority specified it was only for that election). To date his suits, opposed at every step by the Bush Administration in Tallahassee, have gotten nowhere. If he loses, half the voters in Florida, those voting on DREs, will be denied the manual recounts that the other half can have.
The Bush forces in Florida geared up for another purge of released felons from the voter rolls. Ion Sancho, supervisor of elections for Leon County, admits with shame that the state's felon purge in 2000 resulted in more than 50,000 legal voters being disenfranchised. The state elections division identified 47,000 more suspected felons, a list disproportionately heavy with blacks, and asked that local election supervisors purge them. The Bush people refused to make the list public, but were ordered to do so by a judge. Only then was it discovered that the list excluded felons who are Hispanic. In Florida Hispanics tend to vote Republican. This dandy error was "absolutely unintentional," the Bush people said--while abandoning the then indefensible list. Miami Herald columnist Jim Defede wrote that Hood--an "amazing incompetent or the leader of a frightening conspiracy"--must resign.
"What are we going to do if there's a close race?" Wexler asked in the Orlando Sentinel. "The voting records of these machines will have disappeared in cyberspace." He told me angrily: "Apparently their motives are to suppress the vote in Florida in a number of different ways. They are refusing a paper trail on a computerized voting machine. They are again preparing on the felons--they've got a new and improved process. I don't trust 'em to do the right thing." This summer, Representative Alcee Hastings, whose district includes Fort Lauderdale and West Palm Beach, exclaimed, "Any way we cut it, these people are going to try to steal this election."
The Miami-Dade Reform Coalition asked Jeb Bush to audit the touch-screen machines this summer. Bush's spokesperson rebuffed that as "an accusation du jour." Undeterred, Democratic US Senator Bill Nelson of Florida demanded, "Why not do an audit when so much is at stake?... The national election for President could ride on the results coming out of Florida." Senator Nelson even sent a letter to Attorney General John Ashcroft asking that the federal government audit the machines.
This past spring in California, Diebold systems malfunctioned in two counties, disenfranchising thousands of voters. Secretary of State Kevin Shelley discovered that the voting systems in seventeen counties in the state had not been certified, as required by law. After two days of tumultuous hearings in Sacramento, during which high-level election officials called the company's behavior "despicable" and accused its officials of lying, Shelley prohibited the use of Diebold's systems in four counties, the first time this has happened in the United States. Shelley, who has said to the Los Angeles Times that he doesn't want to be "the Katherine Harris of the West Coast," also made the certification of voting systems in ten more counties dependent on their adoption of twenty-three security improvements that he specified. One of these requires those counties to let citizens vote on paper if they want to, but Shelley flinched at requiring a DRE paper trail this year. Four counties and advocates of the disabled sued Shelley to block his actions, but a federal judge ruled he had the authority and had used it reasonably.
Two secretaries of state, Republicans Dean Heller in Nevada and Matt Blunt in Missouri, have required that DREs in their states have a voter-verified paper ballot for the November election. Sequoia is producing the Mercuri VVPAT on demand for Nevada, and several small election companies, including Avante and AccuPoll, have built Mercuri attachments, won their certification and are ready to sell them to local jurisdictions now. Among the thirty-one other states with DRE voting systems in some of their jurisdictions, as of early summer legislatures in five had rejected requiring the paper trail, another nine were considering such a requirement and seventeen had no such proposal before them.
In swing-state Ohio, under procedures approved by Republican Secretary of State Kenneth Blackwell, thirty-one counties decided they would not use paperless DREs in November, and three said they would. Blackwell then ruled that because of unsolved security problems, none of them will. In Maryland, which imposed Diebold DREs statewide in 2002, the Board of Elections ruled that paper ballots cast in the March primary by citizens who did not want to vote on the DREs would not be counted. That's now in the courts. The Campaign for Verifiable Voting presented 13,000 signatures for a paper trail and called for the resignation of the state elections chief, Linda Lamone, who, sitting tight, said, "I think everything is going to be just fine." In Texas, Representative Ciro Rodriguez, chair of the Congressional Hispanic Caucus, was renominated by 150 votes until 419 "found votes" made challenger Henry Cuellar the winner. Rodriguez is contesting the outcome, but since the voting in Bexar County (San Antonio) was conducted on DREs, the votes there can't be recounted. "There's no paper trail to verify what was put in," Cuellar said.
A paper trail will not assure that elections won't be stolen in the DREs. "The only thing the VVPAT will do is give us the ability to prove that it happened," says Roxanne Jekot of Cumming, Georgia, a self-taught computer specialist who has become one of the most effective activists against paperless computerized voting. "There is nothing to deter that single outsourced information-technology worker [from manipulating the machine]. Nobody can prove that he did it."
Many states require recounts if an outcome in a computer-counted race is within a margin of less than 1 percent or a half or quarter percent, but that invites crooked programmers, if any such be at work, to jimmy their rigged outcomes to fall outside the recount-triggering spreads.
Furthermore, a paper trail isn't an audit unless the ballots are recounted. Even before the advent of touch-screen systems, obtaining actual recounts of elections was becoming more difficult. Election officials, election companies and state laws have often combined to block recounts or discourage narrowly losing candidates from getting them. Incredibly, in 2002 the legislature in Nebraska, the home state of Election Systems & Software, outlawed recounts of the paper ballots in the ES&S optical-scan computerized ballot-counting systems that tally 85 percent or so of the votes in that state. Colorado requires that for elections conducted on DRE machines, recounts must be conducted on the very same machines.
In Alabama two years ago, during a controversy over an election for governor conducted mostly on op-scan machines, Attorney General Bill Pryor, backing up the sheriff in one questioned county, ruled officially that under state law anyone recounting the ballots would be subject to arrest. This year President Bush, circumventing Senate hearings, elevated Pryor to the Eleventh Circuit Court of Appeals in a recess appointment.

'It's Really a Matter of Trust'

Confident, friendly, but officious, Jesse Durazo, the registrar of voters of Santa Clara County in the heart of the Silicon Valley, is typical of hundreds of local election officials who berate "the academics." This past spring, despite dire warnings from Professors Neumann of SRI and Dill of Stanford, Durazo led his county into buying 5,500 of the Sequoia AVC Edge DREs at $3,000 each ($20 million, figuring in everything). The anteroom of his county election headquarters is festooned with cheery signs such as one saying Voting Just Got Easier. He is delighted that DREs will facilitate voting by those who speak a foreign language (including Spanish, Vietnamese and Chinese).
Durazo said that the AVC had first been approved by the federal government (which is not correct) and then certified by the California secretary of state. He said that providing a voter-verified ballot would open the way to "unlimited error," while computer error, in contrast, can be "quantified." As for Trojan horses smuggling in corrupt instructions, he said in a confident tone, "I don't have those fears." Stealing votes in the computers is next to impossible, he insisted, because local ballots are set up at the last minute, there are a large number of races and ballot initiatives in any one election, and the order of the candidates' positions on the ballots is rotated in different precincts.
The three sets of all the votes, kept in the computer, provide the recount, he said. Are those not just copies of each other, automatically made? Durazo exclaimed in high dudgeon: "It's a redundant perfection!... It starts with the premise that the information in the system is correct."
Alfred Gonzales, Durazo's Filipino outreach specialist for voters who speak Tagalog, demonstrated the AVC, a sign on the top of which said Try It Out Today. No More Punchcards! I voted on it and asked Gonzales how I knew for sure that my vote would be counted. "Because it will be registered in the machine, saved in the hard drive, and put on a cartridge," he said. "At the end of the day it will be in the printout of the total." How did he know the machine would do that? "Because it has been federally certified!" he said. "There is fool-proof security." Well, one more thing, I asked. There's no ballot--what if you need a recount? "It's really a matter of trusting the machine," Gonzales said. Patting the AVC gently, he intoned with pride, "It's really a matter of trust."
"These companies are basically saying 'trust us,'" Rebecca Mercuri told the New York Times. "Why should anybody trust them? That's not the way democracy is supposed to work." Douglas Kellner, a leader on the New York City Board of Elections, exclaimed at a meeting of computer specialists in Berkeley this past spring, "I think the word 'trust' ought to be banned from election administration!" Dr. Avi Rubin, computer science professor and technical director of the Information Security Institute at Johns Hopkins University, recently testified before the federal Election Assistance Commission, "The vendors, and many election officials, such as those in Maryland and Georgia, continue to insist that the machines are perfectly secure. I cannot fathom the basis for their claims. I do not know of a single computer security expert who would testify that these machines are secure."
Mercuri wrote in her dissertation on vote-counting in 2001 that "security flaws (such as Trojan horse attacks)...are possible in all of the computer-based voting systems" and that providing thorough examinations of source code and other circuits for DREs that vary from municipality to municipality "is a Herculean task--one that is likely not to be affordable, even if it were accomplishable."
Not all the scientists agree. Michael Shamos of Carnegie-Mellon, who once warned that computerized vote-counting is highly vulnerable to fraud, now takes the position that "the issue is not whether voting systems are absolutely secure, but whether they present barriers sufficiently formidable to give us confidence in the integrity of our elections."

Voting Machines Stolen in Georgia

In 2000 five out of six Georgians cast a paper ballot that could be recounted on ES&S systems. In January 2001, in a speech to the Democratic-controlled legislature, Georgia Secretary of State Cathy Cox, a Democrat who is expected to run for governor in 2006, declared that considering all the recent problems down in Florida, Georgia should adopt one "uniform electronic voting system by November 2004." Upon Cox's fervent recommendation of the just-born Diebold Election Systems, in May 2002 Georgia agreed to pay Diebold $54 million for 19,000 DRE voting systems. The counties and cities of Georgia had chosen their own voting machines for the last time, and, less obviously, Georgians had lost their ability to recount their votes in contested elections.
At once Diebold set to manufacturing 282 of its AccuVote TS voting systems a day. Some of the earliest ones arriving in Georgia, sent out for use in the training of election workers, were left in a hotel conference room overnight, stolen and never recovered. Late that June the secret vote-counting codes inside nine to fourteen more of the Diebold machines were stolen. Diebold made an uncounted number of apparently illegal changes in the election-conducting code between June and November. The memory cards on which the votes on each of the computers were recorded on election day all over Georgia had no encryption. According to Rob Behler, who served as Diebold's production deployment manager in Georgia during the first half of that summer, those cards could be used to change the results manually, precinct by precinct.
Incumbent US Senator Max Cleland and incumbent Governor Roy Barnes, both Democrats, were odds-on favorites to win re-election. A week before the voting an Atlanta Journal-Constitution poll showed Cleland ahead by five points, 49-44, but on election day he lost to his Republican opponent, Saxby Chambliss, by seven points, 53-46, a twelve-point swing. The loss of Governor Barnes to Sonny Perdue was even more remarkable: a one-week switch of fourteen percentage points. These were suspicious anomalies, and subsequently in a Peach State Poll one in eight Georgia voters were "not very confident" or "not at all confident" that the DREs had produced accurate results; another 32 percent were only "somewhat confident."
In his front parlor at home in Georgia, Rob Behler told me that just before or just as he took over the Atlanta warehouse for Diebold, some of the voting machines had been sent out to "do demos," and in one southern county "somebody broke in and stole...[nine or] fourteen of the machines and, I think, one of the servers." He says the vote-counting programs in the stolen computers could have been completely reconstructed by reverse engineering and employed to jimmy the election.
"Quality-checking" the AccuVote machines as they arrived from Diebold at a warehouse in Atlanta, Behler and his crew found problems, he says, with "every single one" of them and about a fifth of them were shoved aside as unusable. When Diebold's programmers wanted "patches," that is, changes, inserted into the voting-system software, Behler says, they sent them to him via the company's open, insecure File Transfer Protocol (FTP) site in cyberspace. On his own unsecured laptop (resting on his desk as he spoke), Behler made twenty-two or twenty-three of the cards that were used to change the programs in the machines.
The night of the November 2002 election, sixty-seven of the memory cards used in Fulton County (Atlanta) disappeared. Running his laptop with a dual battery, Behler says, in six or seven hours he could have changed the totals on those sixty-seven cards. "There's no technical problem. There was absolutely zero protection on the card itself. You throw the card in, you just drill down into its files."
Brit Williams, a computer consultant at Kennesaw State University who runs Georgia's testing of voting systems, confirmed to me that the memory cards were not encrypted and all had the same password (1111), but each one, he contended, was "unique to its machine." He snapped, "We had 22,000 voting stations. How would you like to be in charge of 22,000 passwords?" Williams said the sixty-seven missing memory cards in Atlanta had been left in the machines by forgetful workers and were recovered.
The Georgia election of 2002 illustrates how serious risks of technical malfunctions and malicious tampering can occur without anyone outside the voting business finding out about them. No doubt in part because of the hasty start-up, Diebold's "security," though approved by the independent testing authorities and the state, was in fact farcical. Both of the losing Democrats had backed installation of the DRE systems statewide, so they could hardly call for recounts that their own state party had made literally impossible.

(click title for full text)