Diebold's interpreted source code

Today's Oakland Tribune features this article by Ian Hoffman which explains the controversy surrounding Diebold's use of what's known as "interpreted code" in its voting systems. Excerpts are below.

----------

For more than two years, Diebold Election Systems Inc. has hit one political or technical snag after another trying to reap more than $40 million in voting-machine sales in California.

Now only a collection of tiny software files on Diebold's latest voting machines stand in the way of those revenues and more. Last summer, a Finnish computer expert using an agricultural device found he could rig the votes stored on Diebold's memory cards and rewrite one of those files to cover his tracks.

The revelation posed a double problem for Diebold: Not only could its optical-scanning voting machines be hacked, but state and federal rules for more than a year have forbidden those files in voting machines.

This week, scientists at the University of California, Berkeley, UC-Davis and a private, testing lab in Huntsville, Ala., are studying those files under strict promises of confidentiality. What they find could bear directly on what kind of voting systems almost a third of California counties will use in the 2006 elections and indirectly on Diebold's viability as an e-voting company.

---

At issue in California is a kind of software called interpreted code — bits of programming akin to Java and HTML that are loaded and translated into computer instructions on, or immediately before, Election Day. Johns Hopkins University computer scientist Avi Rubin said interpreted code can alter a voting system on the fly from its original, tested-and-approved operation.

"If there is some way to slip in interpreted code," said Carnegie Mellon University computer scientist and voter-systems certifier Michael Shamos, "then we have no way to control what the machine is executing."

But with thousands of Diebold voting machines carrying those files already deployed nationwide and a huge share of the market — the firm supplies 17 counties from San Diego to Los Angeles to Alameda to Humboldt — elections officials and computer experts who advise them are looking closely at Diebold's interpreted code and seeing whether it might be used safely after all.

Diebold programmers created their own language, AccuBasic, for the interpreted code used in all of the voting machines supplied for polling places. But they have told election officials in several states that AccuBasic is a very limited language, able only to read vote counts and not modify them, then print out vote reports in the various ways that counties may ask. Tailoring those reports for individual jurisdictions is the main reason for using the interpreted code.

According to several elections officials and voting system experts, Diebold managers persuaded Ciber Inc., a private, software lab in Huntsville, Ala., which tests voting systems for national approval, that the files were inconsequential and not worth a look. Ciber engineers cleared the system, and the National Association of State Elections Directors gave it a national stamp of approval last year under 2002 federal voting system rules that with few exceptions bar the use of interpreted code.

Last summer, Finnish computer expert Harri Hursti took a twin of Diebold's memory cards and preloaded it with votes, a negative number on one side of an issue and an equal, positive number on the other side. Then he retooled Diebold's AccuBasic files so the computer never looked at the preloaded votes before an election. A printout of the vote counters before any ballots were cast would show zero votes although the election already was rigged.

Voting-system experts say the vote fraud fails if the hacker can't gain access to the memory cards or can't change the vote reports without detection. The vulnerability is not as great with Diebold's touchscreen voting machines, which also use interpreted code stored on PC cards. But those programs are encrypted, making it more difficult to alter their contents, Shamos said, and unlike the older optical scanners, the touchscreens automatically clear their memory for storing votes when started up for an election.

He and several other computer experts said that if Diebold's files are as limited in function as the company claims, then a way of checking the authenticity of the files before the election and tighter restrictions on the handling of the memory cards might add enough security for voters to use the system. Elections officials might track the serial numbers of all the memory cards and lock the cards into the voting machines with multiple tamper-proof, numbered seals.

Those answers could clear a technical snag for Diebold, but the firm's critics are suggesting the political bar will be higher.

Activists last week in Sacramento called for disallowing the use of any Diebold voting machine with interpreted code, which is to say virtually all of them. Sen. Debra Bowen, chairwoman of the elections committee and a Democratic contender for secretary of state, said talk of a procedural fix or other workaround gave her "extreme cause for concern."

"The fact that we have a statewide election in less than five months shouldn't be used to cut corners on the certification process, yet that sounds exactly like what this 'work-around' proposal will do," she said Friday.