Sunday, March 26, 2006

Election Whistle-Blower Stymied by Vendors; After Official's Criticism About Security, Three Firms Reject Bid for Voting Machines

washingtonpost.com
Election Whistle-Blower Stymied by Vendors
After Official's Criticism About Security, Three Firms Reject Bid for Voting Machines
By Peter Whoriskey
Washington Post Staff Writer

MIAMI -- Among those who worry that hackers might sabotage election tallies, Ion Sancho is something of a hero.

The maverick elections supervisor in Leon County, Fla., last year helped show that electronic voting machines from one of the major manufacturers are vulnerable, according to experts, and would allow election workers to alter vote counts without detection.

Now, however, Sancho may be paying an unexpected price for his whistle-blowing: None of the state-approved companies here will sell him the voting machines the county needs.

"I've essentially embarrassed the current companies for the way they do business, and now I believe I'm being singled out for punishment by the vendors," he said.

There are three vendors approved to sell voting equipment in Florida, and each has indicated it cannot or will not fill Sancho's order for 160 voting machines for the disabled. Already, he has had to return a $564,000 federal grant to buy the machines because he has been unable to acquire the machines yet.

"I'm very troubled by this, to be honest -- I can't believe the way he's being treated," said David Wagner, a computer scientist at the University of California at Berkeley who sits on a California board that reviews voting machine security. "What kind of message is this sending to elections supervisors?"

The trouble began last year when Sancho allowed a Finnish computer scientist to test Leon County's Diebold voting machines, a common type that uses an optical scanner to count votes from ballots that voters have marked. Diebold Election Systems is one of the largest voting machine companies in the United States.

While some tests showed that the system is resistant to outside attack, others showed that elections workers could alter the vote tallies by manipulating the removable memory cards in the voting machines, and do so without detection.

A Diebold spokesman scoffed at the results, and compared them to "leaving your car unlocked, with the windows down and keys left in the ignition and then acting surprised when your car is stolen."

State officials similarly played down the results.

But last month, California elections officials arranged for experts to perform a similar analysis of the Diebold machines and also found them vulnerable -- noting a wider variety of flaws than Sancho's experts had. They characterized the vulnerabilities as "serious" but "fixable."

"What he [Sancho] discovered was -- oops -- that the conventional wisdom was all wrong," said Wagner, a member of the panel that reviewed the Diebold machines. "It was possible to subvert the memory card without detection."

In the wake of that finding, Florida elections officials issued new guidelines this month for handling the memory cards. They require records showing who had custody of the memory cards, and are aimed at the same kind of security attack Sancho had simulated.

"It was total vindication," Sancho said.

Diebold officials maintain that their systems are secure when standard safety procedures are used to protect the memory cards from tampering.

"It didn't vindicate Mr. Sancho," said Diebold spokesman David Bear. "You basically follow these industry standards, and you don't have issues."

Regardless, the announcement out of California echoing the Leon County findings was a sweet moment for Sancho, a public official for whom election validity is a very personal interest. In 1986, Sancho was defeated in a botched county commission election in which thousands of votes were believed to have been lost.

"That was the most searing event of my life," he said. "Having run for office and seeing the whole process come down on my head has made me who I am."

He ran for elections supervisor in 1988 and won.

Now he is required under federal laws instituted after the Florida voting debacle in 2000 to acquire 160 voting machines for disabled people -- and none of the state-approved vendors will provide the machines.

A spokesman said Diebold will not sell to Sancho without assurances that he will not permit more such tests, which the company considers a reckless use of the machines.

"While we welcome authorized testing and examination of our products by qualified professionals," Diebold attorney Michael E. Lindroos wrote Sancho last year, "actions such as yours only serve to undermine the public's confidence in the security and accuracy that good systems can provide when used with the proper procedures and by authorized personnel."

Another company, Sequoia Voting Systems, backed out of discussions with Sancho earlier this year. Spokesman Michelle Shafer said the company lacks the capacity to fill his order.

The third voting machine company, Election Systems & Software Inc., did not respond to three calls for comment directed through their sales representative.

The dispute highlights what many elections experts say is a failure in federal oversight. In Maryland, North Carolina, Texas and elsewhere, elections officials have called into question the security and accuracy of new voting machines. The experts said that a more rigorous federal oversight process, in which machine testers have no financial connections to the voting machine companies, is needed to ensure election security in the United States.

"The federal certification process for voting machines is broken, sadly, when it comes to security," Wagner said. "It was designed for the era of mechanical machines, and it hasn't kept up."