A touch-screen voting system that Maryland has just agreed to buy for $55 million and install in every precinct in the state is so flawed that a 15-year-old with a modicum of computer savvy could manipulate the system and change the outcome of an election, computer scientists at Johns Hopkins University said yesterday.
An analysis by the Information Security Institute suggests that voters could cast their ballots repeatedly and poll workers could tamper with the ballots -- all without detection -- on the system, which is already in place in several states.
"Is it responsible to let people vote when they know the machines can be compromised?" said Avi Rubin, technical director of the Baltimore-based institute. "What the state of Maryland needs to do is to realize they purchased something that didn't work and ask for their money back."
The machine's manufacturer, Diebold Election Systems, defended the integrity of election results and dismissed the report's findings as the concerns of those who spend too much time in the ivory tower.
"Electronic election auditing and security is a very complex and multilayered process, which is not always well understood by individuals with little to no real-world experience in developing and implementing such a process," said Michael Jacobsen, spokesman for the Ohio-based company.
After the 2000 presidential election exposed problems with paper ballots, Maryland and other states rushed to institute electronic systems. Already, Diebold has 50,000 machines tabulating votes in such places as California, Kansas and some Maryland counties, including Prince George's and Montgomery.
David Heller, project manager for voting systems with the Maryland State Board of Elections, said state law and election training procedures are designed to ensure the integrity of elections, regardless of the voting machine.
"The chances of someone manipulating the system are slim to none," he said.
The recent Diebold agreement, under which the state and counties pay $30 million for the machines and about $25 million for optional maintenance and services, is the second phase of a multiyear effort to put electronic voting machines with ATM-like smart cards in every precinct by 2006. In the first phase, the state spent $17 million to put more than 5,000 machines with 15-inch touch screens in the four counties with the most antiquated voting machines.
Heller points to a recount in Allegany County, where electronic machines were used. "We printed out all ballot images to verify the unit did tally correctly. There were no variances," he said. "That gives the system more credibility. The results of the recount speak for themselves."
The scientists disagree. One year ago, Johns Hopkins researcher Rubin published a paper speculating on all the ways an electronic voting machine could be compromised. "Looking at the actual code," he said yesterday, "it appears a lot worse than I predicted."
Rubin was able to get the computer code through a fluke. The code was initially posted on a public Internet site and downloaded by concerned activists this year. Rubin and two doctoral students began analyzing the code this summer.
Diebold also is one of the largest manufacturers of touch-screen ATM cash-dispensing machines. In their analysis, the Hopkins scientists said they found little difference in the security of software used for ATMs and other commercial machines and voting machines. And that, they conclude, is not good enough when democracy is at stake.
"Within the first half-hour of analysis, we found some immediate red flags," said Yoshi Kohno, a doctoral student. "The more we examined it, the more we concluded this thing should not be used in elections."
Diebold's Jacobsen said the software code that the Hopkins scientists evaluated was outdated and was never used in an election.
Still, Rubin said that the software code is so flawed that, even if it has been updated, there is no easy fix. "You can't take something that's that broken and turn it into something secure," he said.
For instance, the computers are hard-wired to require the same password for every machine, Rubin said. "Computer Security 101 would tell you that's the first thing not to do," he said.
While disputing the findings, Jacobsen did say that the company planned to take the study and review its software design. "We'll do what it takes to get folks comfortable with this process," he said, "as much as is reasonable."
After the prolonged recount in the 2000 presidential election, commissions and task forces throughout the country concluded that the only way to avoid the problems of hanging chads, butterfly ballots, overvotes and erasure marks was to install state-of-the-art electronic voting equipment.
A law signed by President Bush in November requiring at least one electronic voting machine in every precinct to aid disabled voters is helping to fuel the demand for the systems.
But the movement has increased tension between manufacturers, who are fiercely competing for lucrative contracts, and computer scientists and activists, who fear that the technology isn't ready for prime time. Already, more than 300 experts have joined a campaign to educate public officials that, in their view, the machines are unreliable and to pressure the industry to set higher standards for security.
Paul S. Herrnson, director of the Center for American Politics and Citizenship at the University of Maryland, studied how the electronic machines worked in the 2002 elections in Montgomery and Prince George's.
Far from the promises of an easy, stress-free voting experience, he found that one in 10 voters needed assistance and about 15 percent did not trust that the machines recorded their votes properly.