Ion Sancho, director of elections for Leon County, Florida, recently invited Bev Harris and her team to attempt to hack his county's voting system. Leon County uses Diebold's optical scan system. It's a paper-based voting system that relies on computer software to tabulate the vote.
Sancho has been an outspoken supporter of paper-based voting systems; Bev Harris' test demonstrates the need to verify computer vote counting software. In an optical scan system, this can be done (and is done in several states, including California) by selecting a subset of the optical scan paper ballots, publicly counting them by hand, then comparing the hand-counted totals to the software-counted totals. In an electronic voting system, this kind of verification can only be accomplished if there is a voter-verified paper audit trail of the electronic ballot that is used during the verification process. Fortunately a number of states are beginning to mandate the paper trail, but most still must implement laws to require routine, public verification of software vote counts.
For more on the test, see Ion Sancho's account and Black Box Voting's report. Excerpts from Saturday's story in the Tallahassee Democrat are below:
All it takes is the right access.
Get that, and an election worker could manipulate voting results in the computers that read paper ballots - without leaving any digital fingerprints.
That was the verdict after Leon County Elections Supervisor Ion Sancho invited a team of researchers to look for holes in election software.
The group wasn't able to crack the Diebold system from outside the office. But, at the computer itself, they changed vote tallies, completely unrecorded.
Sancho said it illustrates the need for tight physical security, as well as a paper trail that can verify results, which the Legislature has rejected.
Black Box Voting, the non-profit that ran the test and published a report on the Internet, pointed to the findings as proof of an elections system clearly vulnerable to corruption.
But state officials in charge of overseeing elections pooh-poohed the test process and dismissed the group's report.
"Information on a blog site is not viable or credible," said Jenny Nash, a spokeswoman for the Department of State.
It went like this:
Sancho figured Leon County's security could withstand just about any sort of probing and wanted to prove it.
He went to one of the most skeptical - and vocal - watchdogs of election procedures. Bev Harris, founder of Black Box Voting, had experience with voting machines across the country.
She recruited two computer-security experts and made the trip to Tallahassee from her home in Washington state three times between February and late May.
Leon County is one of 30 counties in Florida that use Diebold optical scanners. Voters darken bubbles on a sheet of paper, sort of like filling in the answers on the SAT, and the scanners read them and add up the numbers.
So the task was simple. Get in, tamper with vote numbers, and get out clean.
They made their first attempts from outside the building. No success.
Then, they sat down at the vote-counting computers, the sort of access to the machines an employee might have. For the crackers, security protocols were no problem, passwords unnecessary.
They simply went around them.
After that, the security experts accomplished two things that should not have been possible.
They made 65,000 votes disappear simply by changing the real memory card - which stores the numbers - for one that had been altered.
And, while the software is supposed to create a record whenever someone makes changes to data stored in the system, it showed no evidence they'd managed to access and change information.
When they were done, they printed the poll tapes. Those are paper records, like cash register tape, that show the official numbers on the memory cards.
Two tapes, with different results. And the only way to tell the fake one?
At the bottom, it read, "Is this real? Or is it Memorex?"
"That was troubling," Sancho said.
In Leon County, access to the machines is strictly controlled, limited to a single employee. The memory cards are kept locked away, and they're tracked by serial number.
Those precautions help prevent any tampering.
"You've got to have security over the individual who's accessing the system," Sancho said. In fact, "you've got to have good security and control over every step of this process."
The trouble is, not every county is as closely run.
In Volusia County, her group has found what they think was memory-card tampering during the 2000 election. More than 16,000 votes for Al Gore vanished.
So what does the Department of State say?
Nash, the spokeswoman, said that the Diebold systems were designed to be used in secure settings, and that, by giving the testers direct access to the computers, Sancho had basically allowed them to bypass security.
In other words, not much of a test.
Except that the security experts were given only as much opportunity as any other election worker would have. Less so, considering that Sancho did not provide them with passwords or any other way to actually get into the programming.
As for the exact vulnerabilities that Harris reported - and Sancho confirmed - Nash said no one from the state could comment, since they hadn't been present at the test.
She added later that Sancho could request help from state certifiers if he had concerns, but had not asked yet.