Diebold faces e-voting machine hack test in California

computerworld.com
Diebold faces e-voting machine hack test in California
The attempted hack, set to take place this week, has been delayed

News Story by Marc L. Songini

DECEMBER 01, 2005 (COMPUTERWORLD) - Looking to quell fears about the potential for vote tampering with electronic voting machines, the state of California is sponsoring a hacking test of an optical scan voting device from Diebold Election Systems.

The initial hacking was slated to be held yesterday but was postponed, said Jim March, an investigator at Black Box Voting Inc., a Renton, Wash.-based nonprofit voter advocacy group. His organization has been prodding California Secretary of State Bruce McPherson's office to test Diebold's AccuVote optical scan gear for alleged vulnerabilities.

The move comes amid recurring concerns that e-voting gear, including optical scan and touch-screen voting machines, are vulnerable to intrusion or rigging. In this case, March claimed that a vulnerability in the memory card in the Diebold optical scan machine could allow a hacker to replace code and "doctor the results."

Black Box Voting had planned to provide a hacker for yesterday's demonstration, a Finland-based security expert and "uber-geek" named Harri Hursti, March said. Working with Black Box Voting, Hursti last May successfully hacked a Diebold machine in Leon County, Fla. (download PDF).

A spokeswoman for the California secretary of state said that McPherson decided to sponsor the security test because of the Florida experiment. She also said the exact protocols and logistical details to be used in the hacking attempt are still being finalized with Hursti. The testing would involve the random selection of an AccuVote machine currently in use in one of California's voting precincts. No new date for the hacking attempt has been set, but California officials said they hope to conduct it by year's end.

McKinney, Texas-based Diebold denied that its optical scan gear is vulnerable and said it will work with McPherson on the upcoming hacking attempt. A Diebold spokesman also called the Leon County, Fla., hacking invalid. "We weren't ever aware of it," David Bear said. "The election official bringing [Hursti and Black Box] in gave them complete and unfettered access and the passcode." In a real election, doing so is bad policy and something elections officials would not allow to happen, he said. Bear also said that security procedures during elections extend beyond the safety of the equipment.

"If I gave you the keys to my house and told you when I was out, you would have a good chance to get in," Bear said. He also noted that the optical scan machine records the actual vote in a memory card and on paper ballots that are audited during the mandatory canvassing period to guarantee the integrity of the results.

On another front, Diebold's status as a provider of e-voting equipment in North Carolina is in limbo after a judge this week denied the company's request for protection from the state's election transparency laws.

North Carolina's strict election statues, passed in August, demand that the vendors of all e-voting machines put their source code in escrow with an approved and independent agent. The vendor must also include relevant scripts, object libraries, application interfaces, and design and technical documentation. If the vendor doesn't comply, it faces potential civil or criminal legal penalties.

Diebold on Nov. 4 got a temporary restraining order to exempt it from any legal jeopardy while it continues to sell its machines in North Carolina. On Monday, Diebold appeared in Wake County Court in Raleigh, N.C., for a preliminary injunction to shield it from potential penalties. But the judge ruled that such an injunction would be premature and dismissed the suit.

"We're not trying to evade anything," said Doug Hanna, a Raleigh-based attorney representing Diebold. He said there is no way any vendor can comply with the statute because there are software components from third-party vendors such as Microsoft Corp. that Diebold has no legal to right to place in escrow. Diebold would also be unable to name every programmer that worked on those third-party applications, as the state law requires, he said.

Hanna said many states dictate that proprietary source code be placed in escrow, and Diebold has done so in a number of jurisdictions. North Carolina could gain access to the code through one of them, he said.

He said he doesn't know how the fight in North Carolina will affect Diebold's status there.

Critics of Diebold are chalking up the latest ruling as a win. "We think this is a great victory for North Carolina voters," said Matthew Zimmerman, staff attorney at the San Francisco-based Electronic Frontier Foundation (EFF), a nonprofit civil rights advocacy group. The EFF was among the parties opposing Diebold in court.

"It sends a clear message to the rest of the country that the laws designed to increase integrity and transparency are valid and don't prevent a state from being able to go forward with e-voting systems," Zimmerman said, adding that other e-voting vendors, such as Election Systems & Software Inc., have complied with North Carolina's laws. "It [the third-party software issue] was a completely artificial argument in the first place," he said.