Level of Protection Debated : Electronic Elections Seen as an Invitation to Fraud

Most computer security experts wince when they look at the electronic tabulation systems that now count more than half of the American vote.

With a few exceptions, the “state of knowledge” about protecting these systems against tampering and fraud “appears to lie between very primitive and non-existent,” Willis H. Ware, a senior scientist at the RAND Corp. in Santa Monica, said in a paper prepared for an elections workshop in early 1987.

Ware said the election community “is low on the learning curve of security” and “has not taken advantage of knowledge that exists elsewhere and is applicable.”

Ware concluded his paper on this ominous note: “There is probably a Chernobyl or a TMI (Three Mile Island) waiting to happen in some election, just as a Richter-8 earthquake is waiting to happen in California.”

Peter G. Neumann, a computer security expert at SRI International in Menlo Park, Calif., agrees. “There are vulnerabilities everywhere,” in computerized vote-counting systems, Neumann said in a recent interview.

Election Watch, a project of the Los Angeles-based Urban Policy Research Institute, warned just before the November, 1988, elections, “The advent of computerized vote counting over the past two decades has created a potential for election fraud and error on a scale previously unimagined.”

The Election Watch criticisms were based on a paper written by Howard Jay Strauss and Jon R. Edwards, computer scientists at Princeton University.

But other experts believe that the vote-counting systems are basically sound and that better management would eliminate most of the security risks.

“The election community is scared,” said Lance J. Hoffman, professor of electrical engineering and computer sciences at George Washington University. “With some notable exceptions, they don’t understand the technology. There is not enough money or training to enable our election officials to conduct elections correctly in the computer age. They are not up to speed. But these are all problems that can be solved. Whether they will be--that’s another matter.”

Even the severest critics acknowledge that no cases of rigging election results by tampering with the vote-counting computer programs have been proven.

There have been computer programming errors--for instance, failure to account for ballot rotation, which is done to prevent one candidate from having the top-position advantage in all precincts, or failure to identify “split precincts,” in which some voters live within the election’s geographical area but others do not.

Other Problems Cited

Fraud has occurred in other areas of computerized elections. Ballots have been stolen. Ballots have been run through card-reading machines several times or not at all. Corrupt poll workers have punched out ballot cards for non-existent voters. Names have been added to or removed from voter registration lists illegally.

Fraudulent computer programming has been claimed in several lawsuits around the country in recent years but most of these have been dismissed on procedural grounds without reaching the fact-finding stage. Traditionally, federal and state courts have been reluctant to overrule local election officials.

Some believe this record proves that the nation’s worst electoral nightmare--the rigging of a presidential election--could never happen.

“There have been innumerable recounts for innumerable offices where these things have been looked at and they tend to confirm the system,” said Richard G. Smolka, professor of government and public administration at American University in Washington and editor of a newsletter that is widely read in the elections field.

“If you’re going to allege fraud, you have to offer some proof,” Smolka said. “That hasn’t been done.”

Others believe that the rigging of an important election--a U.S. Senate race or even the presidency--is technically possible but highly unlikely.

‘Anything Is Vulnerable’

“Sure, anything is vulnerable to fraud or manipulation,” said Penelope Bonsall, director of the National Clearinghouse on Election Administration, an arm of the Federal Election Commission. “But you’ve got to have technical knowledge and you’ve got to have collusion. One person can’t do it in most systems.”

Bonsall and others say a successful fraud probably would have to involve someone with knowledge of a particular vote-counting system and someone with access to the place where votes are counted. The timing would have to be perfect and great skill would be needed to select precincts where false results would not be quickly noticed.

“The feeling in the industry is that there are so many easier ways to affect an election that tampering with the tabulating software doesn’t really make sense,” Bonsall said.

Craig C. Donsanto, who has prosecuted voting fraud cases for 18 years as head of the U.S. Justice Department’s election crimes branch, agreed that “you have to have access” and “some degree of technological knowledge” to penetrate an electronic tabulation system, but he expects attempts to be made.

“All voting systems are capable of being corrupted,” Donsanto said. “Most of them have been or will be . . . simply because voting is the way we determine who gets power in this great country.”

No Federal Prosecutions

There have been no federal prosecutions for tampering with computer vote-counting programs yet, but Donsanto suggested that this might be because federal investigators are less familiar with these systems than they are with paper ballots and lever-operated voting machines.

Donsanto ticked off a long list of the ways in which the lever machines still used in New York City, Philadelphia and many other Eastern and Midwestern cities (and in four California counties) can be tampered with.

The machines’ counters, which operate on the same principle as an automobile speedometer, can be shaved or sawed. Levers for some candidates can be removed. Phony ballot faces can be printed, listing candidates and issues incorrectly on the front of the machines. If all else fails, election officials can report false totals from the machines’ counters and, since lever machines produce no “audit trail,” it is difficult to prove them wrong.

“We know how to investigate these kinds of voting systems,” Donsanto said. “We’ve had more than 100 years of experience with them. That is not the case with computer voting systems because we don’t yet know what to look for.”

It could be that some elections already have been rigged.

“If you did it right, no one would ever know,” said Steve White, former chief assistant attorney general in California.

Election fraud is difficult to prosecute, White said, because “you need a co-conspirator who comes forward” or “an election that is such an upset that people would look into it.”

He said a “more likely scenario” is that in a close election, “you just change a few votes in a few precincts in a few states and nobody would ever know.”

Some critics of computerized vote counting worry about the potential for “trapdoors,” “time bombs” and “Trojan Horses.”

A computer operator with the correct password could place a trapdoor, or series of hidden vote-counting instructions, inside the system, according to the Election Watch report.

Once into the system, the operator could “program the computer to count votes for one candidate as votes for another,” the report said. “After enough votes have been changed to swing the election, the trapdoor could be closed--with no record that it ever existed.”

A trapdoor would have to be sprung by a computer operator on the scene but a “time bomb” could be placed inside the tabulation system in advance.

“The time bomb could instruct the computer to add 500 dummy votes while the perpetrator relaxed thousands of miles away,” the Election Watch report stated.

‘Trojan Horse’ Concept

Strauss, the Princeton University computer scientist, said a programmer writing the “source code” for one of these vote-counting systems could insert a “Trojan Horse” that might not appear for years.

“Suppose I want to throw the 1992 presidential nomination to (U.S. Sen.) Bill Bradley or (former U.N. Ambassador) Jeane Kirkpatrick,” Strauss said. “I write the code so that every time that name comes up in the 1992 primaries, he or she receives a certain number of votes.”

But other experts, including Robert J. Naegele, who has been California’s chief consultant on electronic tabulation systems for more than 20 years, think this is unlikely.

So many different vote-counting systems are used around the country, with computer software of various types and ages, that it would be a “monumental task, one that borders on the impossible” to rig them all to produce a desired result at a given time, Naegele said.

Such manipulation would be “easy to detect,” he added, because inserting the “Trojan Horse” candidate would make the computer program longer, a change that even a superficial security system should be able to detect.

Although some of these schemes for rigging elections sound exotic and far-fetched, there is general agreement among computer security experts and election officials that today’s voting systems are vulnerable in too many ways.

Blank Ballots Accessible

Blank ballots sit in private homes and garages for a week or two before Election Day. Although the ballots are numbered and are identified in other ways, the possibility exists that one set of ballots could be substituted for another.

“I don’t like having them sit around that long,” said Ralph C. Heikkila, who, as assistant registrar-recorder, is in charge of Los Angeles County’s highly regarded election procedures. “If there were some way we could deliver them later, we would do that.”

Transporting ballots after the polls close also presents many problems.

“The weakest link in the security system is when ballots are moving from the polling place to the counting center,” said Ernest R. Hawkins, Sacramento County Registrar of Voters. “I can conceive of a scenario where fake cards are fed in somewhere along the way.”

The ballots usually are transported by volunteers who sometimes get lost, run out of gas, visit local bars or, as happened once in Napa County, go home to bed and do not deliver their valuable cargo until next day.

A batch of Salinas, Calif., votes once ended up at the post office instead of the Registrar of Voters office. On another occasion, Sacramento County ballots being carried in an open truck were scattered across agricultural fields by high winds. In the June, 1988, primary several hundred ballots from Pomona simply disappeared.

Sent on Open Phone Lines

Results sometimes are transmitted from one counting place to another on open phone lines.

“That kind of system is a (computer) hacker’s fair game,” said Austin C. Hoggatt, a computer expert in the School of Business Administration at UC Berkeley.

Election officials could avoid this problem by using “dedicated” phone lines that are difficult to penetrate, but these are expensive and many small election jurisdictions cannot afford them.

Naegele, the California consultant, thinks the greatest security weakness is that most electronic vote-counting programs can be changed while the count is taking place.

This usually is done to allow operators to add Election Day votes to already-counted absentee ballots, but Naegele called this practice “really scary because no system has a way of protecting against” fraud under these circumstances.

“I haven’t seen a case of fraud of this kind,” Naegele said, “but that’s really irrelevant--the vulnerability is there.”

In many places, including Los Angeles County, votes are tabulated on the same mainframe computer used by the police, fire department and other government agencies. This is dangerous, many computer security authorities believe, because the more people who have access to the computer, the greater the opportunity for tampering.

Ban on Media Access

For the same reasons, these experts would not allow news organizations to have computer access to voting results on election night--a common practice.

Vote-counting computer systems usually require passwords, sometimes several passwords, for entry. In most cases, only one or two “super-users” in each election jurisdiction know all the passwords.

But Peter Neumann of SRI International believes there should be no “super-users,” that no individual should have access to all parts of the vote tabulation process.

Neumann is especially opposed to the common practice of allowing an election to be run by the company that manufactured or sold the vote-counting program.

“When you allow the vendor to handle the election, you have violated the principle of ‘separation of duties,’ ” he said, “and if you violate the ‘separation of duties,’ you compromise the whole thing.”

There is a sharp difference in viewpoint between election officials, most of whom feel that ultimately someone must be trusted, and computer security specialists, who trust no one.

“You’ve got to trust somebody, somewhere,” said Bonsall of the National Clearinghouse on Election Administration.

But Naegele disagrees.

“You must trust nobody,” he said. “You have to have absolutely iron-clad checks and procedures and controls. You just have to assume that everybody who lays a hand on this process is going to screw it up.”

However, election officials fear that too much security can turn voting into some kind of war game, instead of the exercise in democracy it is meant to be.

“To have the ultimate security, you wouldn’t allow anybody to have access to anything,” Heikkila said. “I think you need a balance between security and getting the results to the public. After all, that’s what we’re supposed to be doing.”

Still, there is general agreement that much needs to be done to tighten computer security in most election jurisdictions.

Maintaining tight control over the ballots, before and after they are cast, would help. So would the use of “dedicated” telephone lines to transmit results, not permitting changes to be made in the vote-counting program while votes are being tabulated, counting the votes on a “stand-alone” computer--one that is used for elections only and not for other government services--and eliminating “super-user” passwords.

Additional Safeguards

A key provision of the voluntary state standards for computerized elections that are about to be approved by the Federal Election Commission would require vendors to place “source codes,” the heart of the vote-counting programs, in escrow so they could be checked should either fraud or error be claimed.

Texas law already requires that these codes be deposited with the secretary of state and similar legislation is pending in California, Florida and other states.

Vendors have resisted this in the past, claiming that these codes are trade secrets that must be jealously guarded to maintain competitive advantage.

“Our feeling is these people (the escrow agents) will read everybody’s software . . . and eventually they will filter into the business and steal our ideas,” said Curt Fielder, vice president of DFM Associates, an Irvine company that produces vote-counting software.

But most companies now realize they will have to part with their programming information, however reluctantly.

“I think the vendors now realize that, whether or not there are legitimate problems, they are going to have to make the source codes available,” Heikkila said. “The pressure is just too great.”

Although criticism of lax security in computerized vote counting has increased in recent years, few politicians have displayed much interest in the subject.

Wary of Interference

Some U.S. senators and congressmen are leery of interfering in the states’ conduct of elections, a right conferred by the U.S. Constitution.

Many others see little reason to question a system from which they have benefited.

“This is an area of enormous disincentives,” said Marc Rotenberg, director of the Washington office for an organization called Computer Professionals for Social Responsibility. “People in public office are not inclined to go back and look at the system that got them elected.”

Not even “good government” organizations have had much to say about electronic vote counting.

“We don’t really have a position on it at this point,” said Patrick Fn’Piere, communications director for the League of Women Voters. “It’s a highly technical field that is being debated. . . . We are going to reserve judgment.”

The Markle Foundation of New York City has financed several important studies of electronic vote tabulation, studies that have led Lloyd N. Morrisett, the foundation’s president, to conclude, “We’re lucky we’ve survived so far, given the potential for error and manipulation and the low level of competence of many election officials.”

Active Group of Critics

Election Watch is a small but active group of critics--pointing out mistakes in computerized voting, prodding news organizations to look into elections that have gone awry, pressing for stronger state and federal standards.

The group has urged that a citizens election committee, “composed of impartial citizens of the highest personal integrity and computer scientists of comparable stature,” assume responsibility for supervising computerized elections on a national scale.

But many close observers think it will take an electoral debacle to bring about change.

“If there should be a major scandal and a lot of attention is focused on it, then we’ll get some reform in a hurry,” Morrisett said. “Other than that, it’s going to be a slow, gradual process of training people, getting better election officials, putting more pressure on them and on the vendors to produce secure, accurate equipment.”