Contact l Sitemap

home industries issues reasearch weblog press

Home  » Campaigns » Past Campaigns » Corporate Influence on the ...

November Surprise

Electronic Voting Machines Add Uncertainty to Close Election Race
by Stephen MillerSpecial to Corpwatch
September 8th, 2004

Cartoonist: Khalil Bendib

Yesterday, Bill Lockyer, Attorney General of California, joined Alameda county in a False Claims Act case against Diebold Election Systems seeking damages and guarantees for future performance on over $13 million worth of voting terminals purchased by the county. Last week, the Secretary of State of California, Kevin Shelley re-affirmed a ban on four California counties planning to use brand-new Diebold machines that failed to meet certification requirements in time for the November elections. At the same time, Shelley allowed 11 California counties, including Alameda, to re-certify their touch screen voting systems after meeting 23 new security requirements. This is only part of a flurry of activity across the country, as dozens of election commissions, county clerks and voting registrars scramble to maintain public confidence in an election system shaken by the 2000 Presidential election and worries about failures by hi-tech electronic solutions.

These worries are exacerbated by the fact that touch screen voting machines will tally approximately 30% of the votes cast in the U.S. elections this November. In the swing states, where the election is expected to be close, 14 of 20 states (representing over 200 electoral votes) will have at least one county using electronic voting, many for the first time. (See swing state maps.)
Following the 2000 presidential election and the Florida hanging chads debacle, Congress passed the "Helping America Vote Act (HAVA)" allocating $3.86 billion in federal matching funds to overhaul America's voting infrastructure. With state matching funds, the total spent on preventing "another Florida" has been estimated as high as $5 billion through this election cycle, according to The Wall Street Journal. Each state has taken its own approach to meeting the congressional requirements, but no application of this money has been more controversial than states purchasing direct-recording-electronic voting systems (DREs), which generally do not create a paper trail, to replace punch card and lever-operated voting systems.

Almost 30 percent of registered voters now live in jurisdictions that use DREs, rising from just 13 percent in the 2000 election, according to Electionline.org, a Pew Charitable trust sponsored non-partisan election research institute. The Federal Election Commission states that 19 companies produce DREs, but the market is dominated by just four: Election Systems and Software (ES&S), Diebold Election Systems, Sequoia Voting Systems, and Hart Intercivic. Between DREs and other voting technologies, machines of these four companies will tally nearly 100 million votes this Election Day, the vast majority of those cast. Furthermore, nearly 50 percent of precincts will use machines created by ES&S.

While this private oligopoly on the voting machine market is troubling in itself, these concerns have been exacerbated by a litany of poor security, conflicts of interest, and a lack of planning for the future of the machines purchased.

Security risks
"If a voting machine makes an error, either unintentional or through malice, I want there to be a very good chance it will be caught," says David Dill, a professor at Stanford's Department of Computer Science. Dill is one of the foremost critics of the way electronic voting machine manufacturers handle security issues, and with good reason. The manufacturers consider their security procedures and software to be proprietary, and have refused requests by computer scientists to test the code for vulnerabilities. Ironically, they have also been lax in protecting that code, even transmitting code via unsecured websites available to anyone using the Internet.

The first publicly acknowledged major security breach occurred in Georgia in 2002. Democratic candidates enjoying comfortable leads in advance polls were defeated on election day. The votes were cast using over 19,000 Diebold electronic voting machines. (Georgia paid $54 million for the system.) After the election, a former Diebold engineer revealed that Diebold had changed the software in the machines three times after the software was certified, an act unbeknownst to the Georgia election officials, and illegal under Georgia law. While, election officials have found no proof that the results of the election (the first Republican governor in Georgia in 130 years) were affected by the alleged violations, lacking a paper audit trail they have also been unable to prove the opposite.

Even more controversy arose after writer Beverly Harris and publisher David Allen brought to public attention a bevy of secret files openly accessible on an old website of Global Election Systems, now owned by Diebold and whose software is the foundation of Diebold machines. Among the 40,000 files accessible on the website were "the software used to tally the votes in an election," says Allen. "It was pretty much the blueprints to the vault: everything you would need to know if you were looking to hack one of these machines."

Aviel Rubin, a professor at Johns Hopkins University's Information Security Institute, was asked to review the Diebold code accessible on the company's website and used by its machines. Rubin and his colleagues found numerous security issues with the code, including the use of a consumer version of Microsoft Access as the database in which votes were stored, a product that has few security measures. The report, which garnered front page news in a number of newspapers, was released only days after Maryland had purchased 11,000 Diebold DRE machines at a price of $55.6 million. Maryland then had the Science Applications International Corporation (SAIC) review Rubin's findings. SAIC verified Rubin's concerns, reporting that they had "identified several high risk vulnerabilities of the managerial, operational, and technical controls for [Diebold's] AccuVote-TS voting system." The SAIC report continued, "If these vulnerabilities are exploited, significant impact could occur on the accuracy, integrity, and availability of election results."

The controversy in Maryland subsequently caused Ohio, who was in the midst of contract negotiations to purchase electronic voting machines, to investigate the security software of all four major vendors. The December, 2003, report to the Ohio secretary of state found Diebold machines possessed 15 security risks, while ES&S machines had 17, Sequoia machines had 15, and Hart InterCivic machines had 10. Of those risks identified, Diebold machines had five that the report considered "high." The report also found a number of "high" risks among the other DRE manufacturers: four for Hart Intercivic, three for Sequoia, and one for ES&S.

Among the high security risks was Diebold's policy of providing "supervisor cards" that allow the voting session to be started or terminated, which had the same security PIN code nationwide. ES&S machines had a function, intended to retrieve votes from a broken machine, which could add votes multiple times to the overall tally without any warning. Also, the process of opening and closing the entire polling station on ES&S machines was controlled by a supervisor function that did not require a password, and provided no warning to a worker that the poll was about to be closed. Sequoia polling stations could be closed by flipping a switch on the back of the DRE that was accessible to all voters.

"What we've witnessed with the Diebold scenario is a complete and utter lack of transparency," says Rubin. "Diebold hid out in their labs and developed a voting machine without any security expertise, without any government requirements on them."

Many of these problems have since been fixed with patches. But as these companies insist that their code remain proprietary, the public remains in the dark as to whether these patches will have their own unintended consequences.

"They're saying trust us, and I don't," says Dill, who continues to investigate the security functions of DREs. "I don't have any reason to believe they're doing bad things, but I don't want to trust anyone with the integrity of my vote. I don't want to put the control of my government in the hands of a voting machine company."

Conflicts of interest
In August, 2003, in a decidedly impolitic move, Walden O' Dell, CEO of Diebold, wrote a fundraising letter promising to "help deliver Ohio's electoral votes" to President Bush.

O'Dell's comments brought out of the shadows the company's history of staunchly supporting the Republican Party, and shed some light on the conflicts of interest within the DRE manufacturing industry as a whole.

Diebold and its executives have contributed some $409,170 to Republican candidates and the Republican National Committee since 2001, while contributing only $2,500 to Democrats in the same time frame. In June, after the donations came under scrutiny following the revelations of security flaws year, Diebold's board of directors banned further contributions by company executives.

The other three major DRE manufacturers, while still contributing heavily, tend to cultivate both major parties. In 2001, ES&S and its executives gave $21,900 to Republicans and $24,550 to Democrats, Sequoia and executives gave $3,500 to Republicans and $18,500 to Democrats, and Hart InterCivic and executives donated $3,750 to Republicans and $2,500 to Democrats.

The companies are also engaged in lobbying efforts that, even if legal, bring into question the objectivity of states' voting machine acquisition process. For instance, lobbyist Gilbert J. Genn was lobbying for both Diebold and SAIC in the Maryland legislature, where the state had hired SAIC to test the reliability and security functions of the state's newly purchased Diebold DRE machines. Maryland Governor Robert Ehrlich, a Republican, asked for an investigation. The connection "was a complete surprise to the administration," a spokeswoman for the governor told The Washington Post, making clear that the company's lobbyist had not made his conflicts of interest known.

All four major electronic voting manufacturers are actively engaged in lobbying. Between 2001 and 2003, the latest year for which data is available, the four companies had lobbyists in at least 21 states, mostly seeking to procure funding for the purchase of their machines.

One such lobbying effort was that launched to pass California's Voting Modernization Bond Act of 2002, or Proposition 41, that allowed the state to secure a $200 million bond to purchase DREs. The two largest contributors in favor of the proposition were Sequoia and ES&S, contributing $100,000 and $50,000 respectively. After a flurry of television ads, the proposition passed with a bare 51.6 percent majority.

In addition to the contributions and lobbying dollars spent, there are other conflicts of interest that have called into question the independence of the DRE manufacturers. Among the conflicts:

-Senator Charles Hagel, a Nebraska Republican, has a controlling financial stake in the McCarthy Group, which in turn owns ES&S. Nebraska voters cast their votes on ES&S DREs. Further, Michael McCarthy, chairman of the McCarthy Group, served as Hagel's campaign treasurer from 1999 until 2002.

-Leaders of the nation's two largest DRE manufacturers, Diebold and ES&S, are a pair of brothers. Bob Urosevich is president of Diebold's election system division, while Todd Urosevich is a vice-president of ES&S.

-Alfie Charles left his job as the press secretary for California Secretary of State Bill Jones to become a spokesman for Sequoia in 2002. It was Jones' office that pressed for the passage of the $200 million funding initiative for DRE machines.

-Kathryn Ferguson, once the election chief in Clark County, Nevada-where Las Vegas lies-has been a lobbyist for Sequoia since 2001. In 2003, Nevada purchased Sequoia voting machines for the entire state.

-Sandra Mortham was hired as a lobbyist by ES&S to sell DREs in Florida, where she had served as secretary of state from 1995 to 1999.

This revolving door between elected officials and the voting machine companies, coupled with the money spent lobbying and contributed to candidates, makes clear that in many states, the choice to switch to DREs in this election cycle has not simply been a matter of objective decision making, but one where money and political persuasion has held sway.

Planning for the future
In the months since the security scandals broke, the battle over DRE machines has increasingly focused on whether a voter-verified paper audit trail (VVPAT) should be required for a DRE to be certified for use in the upcoming election. California Secretary of State Kevin Shelley has lead the way in requiring that all electronic voting systems have paper verification in time for July, 2006 elections, but most states will go without a VVPAT this year.

But even the VVPAT technology is not flawless. An August presentation of a Sequoia machine before California lawmakers failed to accurately reflect in the printed record votes cast in Spanish on the DRE, proving that while a printed record may provide insurance against human corruption, it does not prevent computer error from producing equal havoc. Even when they work, though, the units have one substantial flaw: they are expensive, adding about $500 to the cost of each machine. Judy Taylor, an elections director of St. Louis County, Missouri, told the Associated Press that, "printers will add $12 million to the $25 million bill to replace punch cards with touch-screen machines." Eighteen states using DREs in the upcoming election have no legislation requiring VVPAT, while at least another 14 states that will use DREs are considering VVPAT legislation, according to an April study by Electionline.org.

The future of DRE machines voting is filled with as many questions as it is this election cycle. "There nothing in HAVA that speaks to the on-going costs of touch screen voting," says Bruce Bradley, the Assistant Registrar of Voters for Ventura County, California.

Rebecca Mercuri, a professor at Harvard's Kennedy School of Government and a critic of DRE security flaws invented VVPAT technology but did not patent it. She notes that those upkeep costs may be extensive. "They include updating the warehouses so we can store these systems properly, covering the costs of additional personnel that are going to have to have to take care of these systems. In some cases, this is quite extensive because the regular personnel they have had, even on Election Day, cannot handle this equipment."

What the future portends for the upkeep of DREs may prove to be a bigger problem than their use this election, when the machines are new. "What happens 10 years down the road when all this equipment starts to break down?" asks Mercuri. "Are we going to spend another $3.8 billion? Will the federal government fork that over, or is it going to be taken over by the states and communities?"

According to an August company filing with the U.S. Securities and Exchange Commission, Diebold is still waiting to be paid $38 million by San Diego and two other California counties that bought touch-screen voting machines. According to Bloomerg.com, a financial advice news site, the Secretary of State's decision not to certify could mean those bills have to be written off . CEO Walden O'Dell says Diebold plans to stick with the voting machine unit regardless of profits. He says he sees it as a civic duty. "The country had a crisis, it was instantly apparent to me that we could help." O'Dell has no regrets, come November, elected officials, however selected, will find out if he was right.