Critics Concerned Electronic Voting Not Secure
IRA FLATOW, host:
This is TALK OF THE NATION Science Friday. I'm Ira Flatow.
The midterm election's just a few days away and if the primaries are any indication, we can expect some trouble at the ballots, because more than a third of American voters will be casting electronic ballots, using electronic voting machines. Many of these machines lack a system for verifying the vote. My next guest has been closely following our country's transition to electronic voting since back in 2003, when a colleague called him to tell him that a secret code of voting machine maker Diebold's machines was available on the Internet.
And just recently, someone again has released a Diebold secret code and his phone rang again. Here to talk about it is Avi Rubin, professor of computer science and the technology director of the Information Security Institute at Johns Hopkins University. His new book is called, Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting.
Welcome back to Science Friday, Dr. Rubin.
Doctor AVI RUBIN (John Hopkins University): Hi, nice to be here.
FLATOW: Tell us about that original phone call in 2003.
Dr. RUBIN: Well you know, I was a pretty new professor. I'd been working at AT&T labs for many years and I had just gone to John Hopkins to be a professor in the computer science department. My area of research is computer security and applied cryptography.
And I had been interested in voting systems. I had attended some meetings in Washington and written a couple of articles. But, you know, it wasn't my primary area, and then I got a call from Professor David Dill at Stanford University asking me if I was interested in looking at the source code, which is the software for the Diebold voting system.
And my reaction at the time was, well, what is Diebold? And he explained to me that they were the leading manufacturer of electronic voting systems. And it took a little while for me to understand that he was talking about the software for the actual voting machines that people were using to vote.
And, of course, you know, as a professor always looking for good research Problems, that was like a - you know, the jackpot falling in my lap.
FLATOW: Right, and so what did you discover when you looked at the voting system - the voting machine software?
Dr. RUBIN: So I should say I brought in my graduate students that I had with me and a colleague, and we all looked at it together. And I'd say, within the first hour, we knew that there was going to be a big problem with these voting machines because of the way the software was written.
You know, I like to make the analogy - I make it in my book - that a computer scientist looking at software's like an English professor looking at a manuscript or something like that. You know, they can tell right away if this person is a first-class writer or someone who doesn't speak English very well, writing it.
And it's the same thing looking at computer code. We saw that this code was very amateurish. They were using all kinds of incorrect methods. They were using encryption ciphers that had been broken many years earlier. And they were using them in incorrect ways. So we knew that this was not going to be a very good system.
FLATOW: Not a secure system.
Dr. RUBIN: No, the problems that we found, because that's what we were looking for, mostly had to do with security and... But, you know, I've come around a little bit in my opinion of these systems.
Initially, I thought that the biggest system was that the Diebold software was full of security problems and flaws and bugs.
But now, I think, that I've looked this problem for several years - that the bigger problem is the fact that this is an entirely software-based system. And so there is no independent audit trail possible - there is no way to verify the votes are being recorded correctly.
And it's the concept of having a computer voting machine that bothers me, more so than the specific poor implementation that we have from Diebold.
FLATOW: Is the danger one of miscounting votes or of being rigged?
Dr. RUBIN: Well, I think it's the latter. I think that just as much that I'm worried about it being rigged, I'm also worried about an unintentional software error causing the wrong outcome to come out.
And the biggest problem is that, regardless, of whether anything goes wrong with the machines, we don't know that it didn't. And there are voting systems that are possible, you know, paper-based systems where if you suspect that something went wrong, there's a way to check. You can perform a recount, so you can perform an audit.
The problem with these electronic systems is that if you suspect that something went wrong, and show me in election where someone didn't suspect that something went wrong, there's nothing that you can do about it.
FLATOW: Hmm. In fact, in your state of Maryland, aren't they - wasn't there a huge problem in the primaries and we're now going to be going back to paper?
Dr. RUBIN: Well, the first part is right and the second part, unfortunately, is not right. There was a huge problem in the primaries. I work as an election judge in Baltimore County and I worked the polls in the primaries. And we had moved to these electronic poll books.
And these systems were very buggy. They're used to check in the voters into the voting site and they were crashing all the time, our lines got very long. We had some problems with the actual voting machines, as well.
But there's an important distinction that needs to be made, which is - one has to do with the mechanics of an election. Did the election run smoothly and were people able to come through and get processed and vote?
And the other is, was the vote secure? And what I didn't like is after our primary, where we had all these problems which I would call the mechanics of running the election, that's what everyone focused their attention on, said see, these machines are terrible because they were crashing.
And I think that's the wrong conclusion. Yes, they're terrible because they were crashing, but they're also terrible because there's no way to verify the votes, there's no way to perform an audit. And even if the election were to run very, very smoothly and everybody would think that everything was great, that would still be the case.
The security problems don't have much to do with whether or not, you know, the actual running of the election is smooth.
FLATOW: Hmm. So the paper ballot, the paper trail is the key then?
Dr. RUBIN: Well, I actually prefer paper ballots to paper trails and I don't think we even have time today to get into all of the reasons. But the basic idea behind a paper trail is that you take one of these electronic systems and you augment it with a printer that prints out people's vote as they vote.
And, you know, and conceptually that's a pretty good idea. Unfortunately, many of the implementations of that have been very poor. The Diebold system, the AccuVote TSx, for example, has this voter-verified paper audit trail but it's under glass and it maintains all the votes in the order that they were cast -which has obvious privacy problems because you could count how many people vote in front of somebody. And then you could see this paper trail and then see how somebody voted.
And also they're unwieldy. Then election officials don't like them and they're not very useful for performing recounts or audits. And I don't think people are really auditing properly with them.
On the other hand, if you have paper ballots and they can be marked with the machine with a touch screen and then it prints out a paper ballot, you don't have the problem of having one electronic tally and one paper trail tally. You just have the ballots. And you count them and if you need to, you can recount them.
You can count them by machine. You can count them by hand. And so I think that, you know, looking at all the systems that I've been studying over the last several years, that paper ballots with a precinct optical scan counters and random audits is the best system that we can have.
FLATOW: Because it also helps people out who are used to writing. I mean, if you take a paper ballot and people know how to check things off and then you scan it, so the process is still familiar and you have the paper trail that's scanned.
Dr. RUBIN: Well, that's absolutely right. And, you know, many of the touted advantages of electronic voting can still be achieved with paper ballots if you use a computerized ballot marking scheme. So this is a system - and there are systems on the market that do this - where you go up to a touch screen and you make all your selections. But instead of counting votes, which is a security critical process, all that machines is capable of doing is printing out a filled-out ballot, as though you had filled it out by hand, except the ovals will be marked a lot more cleanly and very nicely.
And then you can look it over and say this is my ballot, it's fine. And then you go and cast it by putting it into an optical scanner that will keep it. And so if people don't want to mark them by hand, for whatever reason, they can mark it with a computer. And the way I'd like to see a voting system run at a precinct is you walk in and you're given a choice, would you like to mark your ballot by hand or would you like a computer-assisted marking?
FLATOW: Hm-mm. One of the things about the - about the voting machine is that it's - it's a proprietary system, is it not? The code, you know, cannot be looked at to find out what's inside. And you're, you're of the opinion we should have an open source code.
Dr. RUBIN: Yeah. In fact, I think the way to get to the heart of the matter is to realize that a voting system - it shouldn't matter if it's open source or not. Because if you're trusting the software, if you're saying that it has to be open source because you have to make sure there's nothing wrong with the software - then you're already in trouble. Because software is so complicated. Even a open source system can have bugs in it and security flaws that people just don't realize are there.
And the system that I described - of marking a paper ballot, you know, go ahead and open up the software for the scanner, or don't. It shouldn't really matter because you're not going to trust it. Every computerized component of a system - whether it's an optical scan that's counting, or a ballot marking system -can be audited properly. You can test them like crazy, and randomly audit them after the election. And so sure, I think it should be public software because, you know, what are we hiding from the public. Why not make it public? The public should have a right to see everything that has to do with elections. But, the security shouldn't depend on it being open source.
FLATOW: Well, let's talk about security because you just recently got another disc from Diebolds that's someone's sneaked out of - someone who had a secret disc, sneaked out somehow?
Dr. RUBIN: Yeah. Well, so, I'm not really sure of the origin. What happened was Cheryl Kagan is a former delegate here in Maryland - in the House of Delegates - and she received, under mysterious circumstances, these discs, were delivered with a note that said this is like a baby on your doorstep, or something like that. She gave it to the Washington Post. I get received a call from the reporter, asking me if I would take a look at it, but he asked me to agree that I would not make a copy, and I would not keep it, and I would not perform any analysis, just validate that what he had was the actual Diebold code. And so I agreed to that, because I wanted to know if that's what he had as well. And he brought them out here to my lab, and again, with my graduate students, we popped it in a computer, we took a look around until we were satisfied that that was the Diebold code. It was, you know, very similar to the one we had looked at three years ago, except it was the 2004 version, instead of 2002. And I've not been able to receive - I would love to get a copy of that, without that condition and be able to perform an analysis. There are a lot of useful things I could discover if I could do that, but I have not had access, and actually the FBI called me, to ask me about this, and to ask for the disc. But, you know, like I said I didn't have them at that point.
FLATOW: Is there no danger that these discs are leaking out? Somehow?
Dr. RUBIN: I'm not sure if there's a danger that they're leaking out. I think it speaks volumes about the, you know, the security capabilities of these companies. Because, you know, after their code leaked out in 2003, it caused Diebold great embarrassment. And you can believe that they instituted everything within their capabilities to prevent their code from leaking out again, and yet it did. I actually happen to believe that the software, this time, leaked out of the testing lab that tests these for federal qualification -and that's based on labels that were on the discs that I saw.
FLATOW: Hm-mmm. We're to take a short break and come back, talk lots more with Avi Rubin, the author of Brave New Ballot: The Battle to Safeguard Democracy in The Age of Electronic Voting. He'll be back for just a few more minutes after the break, take a question if we can. Stay with us. We'll be right back.
(Soundbite of music)
You're listening to TALK OF THE NATION's Science Friday. I'm Ira Flatow talking with Avi Rubin, author of Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting. Our number 1-800-989-8255.
You know, we have federal mechanisms, regulatory agents for drugs, and we have them for airlines. Do we have any regulatory agency that assure that all these voting machines live - are up to snuff and are in good condition?
Dr. RUBIN: We don't have anybody that's assuring that. The analogy to the drug and airline safety and all of that is actually I make in my book to contrast the fact that voting machines have almost no oversight. What there are, are these federal qualification labs, they call them independent testing authorities - which aren't really independent, they're actually hired by the vendors.
And what they're asked to do is to evaluate these voting machines to make sure they comply with certain standards. But I've read the standards and the standards are very weak on security, and most of the standards have to do with withstanding dropping from a certain height, and temperatures, and physical properties of the machines, etc. I've also heard that there was once a testing lab that was so good, that the rigorous security testing. So none of the vendors would use them because their machines weren't passing.
So we've now got - these testing labs have evolved because of this model that really do the minimal amount just to try to get these systems passed.
FLATOW: So are you expecting until things are all, are made better that we're going to have continued problems with electronic voting?
Dr. RUBIN: Well, again, there's two classes of problems, and I want to make this distinction once more. One is whether or not they work, and whether they crash or have problems that are visible on Election Day. And the other are the invisible problems; which is security, and did they get the right answer, and was there a bug that flipped votes from one candidate to another, and the fact that we can't recount or recover. I do think that these questions will persist as long as we use these machines. I'm part of an effort in Maryland that's going to take place I know, after this election to try - to switch back to optical scan paper ballots. And I hope that the rest of the country will follow suit.
FLATOW: All right. Thank you very much, Dr. Rubin, for taking time to be with us.
Dr. RUBIN: Thank you.
FLATOW: You're welcome. Avi Rubin, author of Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.