Great, I thought: Here I am in downtown Asheville on a Saturday before the scheduled elections; why not vote now? I’ll even get a paper ballot! But after walking into the Board of Elections, I quickly learned that paper ballots are only an option for absentee voters. Arghh! Guess I’ll just have to trust those machines. So I went ahead and voted, though I couldn’t help but think about the problems in Florida in 2000.
After the 2004 elections, however, I started wondering (along with many voters in Pennsylvania and Ohio) whether my vote had been counted. Why was there such a discrepancy between the exit polls and the final tally? By the late ’80s and early ’90s, exit polls were enabling the networks to predict with precision how a final vote would turn out. What changed?
Were the exit polls taken too early in the day? Did the exceptionally high turnout for this election make it harder to predict? Did the strong showing by fundamentalist Christian voters skew the results? Or could there have been some darker purpose at work?
As an electronics engineer, I’ve learned the hard way not to take things at face value. And in my professional capacity, I’ve developed and helped develop what are called “embedded systems” — microcomputer systems that are a part of equipment dedicated to a specific task (such as voting). As a result, I know all too well what can and can’t be done with them.
First of all, they can be rigged. It’s quite common for the microprocessor integrated circuits (or “chips”) from the large companies to have “back doors” that allow access for testing, diagnostics and reprogramming. Manufacturers keep quiet about this, because these instructions and access methods are not intended for public use. When a new chip comes out, hackers try to discover what the unpublished specifications are — and sometimes they succeed. It’s great fun.
Typically, back doors are not publicly acknowledged to exist until after they’ve been discovered. You could run an embedded system through its paces to check for functionality without ever knowing there was some sort of secret access built into it.
In designing embedded systems, it’s not unusual for a unique set of simultaneous button pushes or some special sequence of keystrokes to put the system into a test or diagnostic mode. This is one way a back door might be accessed.
If the embedded system has a serial or USB port (and most do), it might also be easily probed using an external device such as a computer or a PDA. Changeable programming jumpers and special connectors for software/firmware downloads are often present on embedded-system circuit boards. And data can be externally introduced in many different ways, especially with some help from back doors in the software, firmware and hardware.
These days, it’s relatively inexpensive and easy for a small team of engineers — or sometimes just one — to design and specify the production of a custom chip. And this isn’t limited to just a microcomputer either. You can even put radio and wireless data-link circuitry on the same chip with digital hardware. In many wireless devices, it’s quite common for a printed-circuit-board trace to serve as an antenna — with no hint to the outside world that such an antenna even exists.
In other words, in any embedded system, it’s possible to add input, change programming and alter data. My understanding is that manufacturers of voting machines do not allow anyone to look at the internals or the detailed hardware and software documentation of their machines — it’s all considered part of the corporation’s proprietary information.
So does anyone outside of a handful of engineers (who are presumably in the pockets of their corporate employers) know what software and hardware is actually being used in these machines? Are the people responsible for testing and operating voting machines at the local level even aware of all the reprogramming, diagnostic and data-altering methods?
Safeguarding our votes
As a practicing electronics engineer, I can assure you that it’s entirely possible to design a voting machine that will work perfectly when tested and still not be secure.
Imagine, for example, that Mr. Smith has a lot of money and very strong political convictions. He also knows something about current technological capabilities, since he serves on the boards of several electronics firms. After some snooping around, he discovers Mr. Jones — a senior engineer at a company that manufactures voting machines.
Mr. Jones, it turns out, has some heavy-duty gambling debts, and only the gentlest of persuasion is needed to bring him around. The minor changes in the software and the specially modified chips that replace the originals go unnoticed. Now all it takes to shift the tally results on that model is simultaneously pressing eight specific keys for five seconds.
But it doesn’t stop there. For the next election, Smith plans to place a wireless device into a custom chip that’s being designed for the next-generation voting machine. Just a few obscure changes in the printed circuit board and voila: instant antenna! Now, all Mr. Smith has to do is hire teams of people to drive nondescript vans around major cities on Election Day to wirelessly transmit the desired tallies to the retooled machines.
Nothing in the present electoral process could detect — let alone prevent — such abuse. So how worried should we be about whether our votes are getting counted?
I was fortunate enough to be given a look at the Buncombe County Board of Elections operations center; I also spoke with some of their technical people. To me, their willingness to discuss the matter freely demonstrated an attitude of transparency; I had no sense that they were holding anything back. In addition, the Sequoia AVC Advantage machines being used in Buncombe County seem to be one of the better brands available, with no major problems reported during the decade or so that they’ve been in use here.
If it were solely up to these folks, I believe my vote would be counted honestly and accurately. Unfortunately, there are some things a county official with limited information and a modest budget can’t test for. What can be done, then, to ensure the integrity of the electoral process?
Traditional paper ballots work adequately and are trusted — because physical ballots can be stored in a closet, and the different party officials in each county can put their own locks on the door. They can look over one another’s shoulders while the ballots are being counted. The ballots can be stored under security in case they’re needed for a recount. Is the system flawless? No, but the problems have been relatively few. And I, for one, can live with them.
Can electronic voting machines ever be made to work? Despite my reservations, my answer is yes. Transparency and accountability are the keys.
First off, require the manufacturers to supply detailed technical information to special groups of engineers, including representatives of all the major political parties.
Give these engineers enough time and resources to do a thorough job and check all aspects of voting-machine security, including susceptibility to influence by radio and electromagnetic fields. Allow reverse engineering to ensure that no chips contain hardware back doors.
If anything were found, then suits could be filed and penalties levied. It’s the American way. Proprietary commercial information or trade secrets need not be leaked to the general public or the competition. Any party that can get on the ballot can assemble its own technical team that, given the needed information, could probe the innards of each make and model of voting machine for software and hardware back doors. Expensive? Yes. Worth it? You bet.
According to a story on CNET.com, China set up a lab in Beijing to verify software in 2003. By August of that year, Microsoft had allowed the entire Windows operating-system source code to be inspected and certified in China. Chinese government security specialists checked for back doors in the operating systems used to store state secrets. Other governments have similar arrangements with Microsoft through its Government Security Program.
If these corporate secrets can be shared with China, why can’t the American people have a number of teams poring over voting-machine hardware and software on the public’s behalf?
Another key strategy is establishing high standards for software and hardware security. Make sure the machines themselves include protective measures. Help safeguard the physical security of these machines by locking them up (Buncombe County already does this). Maintain transparency and accountability!
And finally, establish a paper trail. Have the voting machines print out a ballot/receipt that includes the voter’s selections. Voters would verify their selections and then cast these ballots in the traditional way, to be used in the event of a recount. Essentially, you’d be voting twice, with the second round serving as a backup.