Introduction to How can someone tamper with an electronic voting machine?


Photo courtesy Wikipedia
Photographer: User Joebeone
Diebold AccuVote-TSx voting machine with printer attachment
The November 2006 elections that will decide the make-up of the U.S. Congress and state and local governments are facing more uncertainty than any election to date. Instead of "Democrat or Republican," the more pressing question has become "accurate count or complete debacle?" More than 60 million Americans will be casting their votes on electronic voting machines for the first time. Some fear human and machine error, both of which have occurred in almost all electronic voting since the machines were introduced in limited scope in 2002. Others fear a darker foe, and it's not just conspiracy theorists: For the past three or four years, computer scientists have been tampering with voting machines to prove it can be done. And they say it's actually pretty easy.

With electronic voting, the entire setup is electronic, not just the actual casting of the vote. The general process of electronic voting on the most common touchscreen models goes something like this:

  1. The voter checks in with election personnel, who enter the voter's name into a computer database to make sure he or she has not already voted.
  2. The voter is given a "smart card" -- basically a credit-card-type device with a microchip in it -- that activates the electronic voting machine.
  3. The voter casts his or her vote by touching a name on the screen.
  4. If the model includes printout capabilities (which is required by more than half of U.S. states), the voter receives a printout that verifies his or her choices before leaving the booth. If the printout is correct, the voter inserts it into voting machine before leaving the booth to complete the voting process. (If it's incorrect, different models have different remedies, but it's safe to say it starts to get messy at that point). In non-print-out models, the voter leaves the booth after cast his or her vote on the touchscreen.
  5. Once the polling place has closed, an election official inserts a supervisor's smart card into the voting machine and enters a password to access the tally of all votes on that machine. Election officials either transmit the tallies electronically, via a network connection, to a central location for the county, or else carry the memory card by hand to the central location.
Election officials point out that there are many safeguards in place to make sure no one tampers with the voting machines -- this is an election we're talking about, after all. Some of those safeguards include tamper-resistant tape over the machine's memory card slot, a lock over the memory card slot and the machine's battery, and the process of comparing the total votes on the memory card to the number of voters at polling place and to a voting record stored on the machine's hard disk (and to physical printouts if available). Machines are password protected and require special access cards for anyone to get to the memory card, and most polling places conduct background checks of election workers. Finally, the software on these machines automatically encrypts every vote that is cast. So, where does the problem come in?

Experts point out lots of areas that need improvement, but as you can probably tell from the list of safeguards above, the memory card is considered to be the weakest point in the system. Princeton University computer-science professor Edward Felton and a couple of his graduate students got themselves one of the most common voting machines -- a Diebold AccuVote-TS -- and had their way with it. They picked the lock blocking access to the memory card and replaced it with a memory card they had infected with a virus. The virus altered the votes cast on the machine in a way that would be undetectable to election officials, because the vote numbers were not only changed on the memory card, but also in all of the backup logs on the machine's hard disk. So the final numbers matched up just fine. Another report, this one by a computer science professor who is also an election volunteer, states that the security tape protected the memory card slot looks almost exactly the same after someone removes it and then replaces it -- you have to hold the machine at a certain angle in the light to see the "VOID" imprint that arises after tampering.

Other experts focus on the software that records each vote. It's too simple, they say, and not encrypted well enough. The typical code is a standard "Roger Moore = 1" and "Sean Connery = 2" type of setup, which even a computer neophyte could tamper with if they have access to the machine. All it would take is a memory card with a bug loaded onto it to switch the values. Also at issue is the type of encryption used in the voting machines, which experts say is far from state of the art. But at least in the case of the Diebold machines, experts really only have access to one older version of the software that was leaked through a security hole in the Diebold network, so no one can be sure whether the same flaws exist in the latest version of the program. Diebold won't release the software for public review because it's proprietary.

Beyond the machine itself, the method of electronically transferring tallies between polling places and a central location for the county is another possible point of weakness. A hacker can intercept the vote tallies on their way to the central counting location by attaching a what amounts to a tap at the network router or hub. He or she could grab the numbers on their way across the network -- which in many cases isn't encrypted -- and load up a different set of tallies in their place. However, as long as the central location double checks the electronically transmitted numbers with the memory cards and printouts from each polling place, this method of fraud would ultimately fail.

For more information on electronic voting issues and related topics, check out the following links: