Is E-Voting Secure?

<B>Scott Pelley</B> On Whether Voting Systems Could Be Open To Attack

We've had four years to straighten out the voting systems that led to the election debacle of 2000. And many counties have rushed to replace those infamous punch-card systems with what's supposed to be the wave of the future — electronic voting.

In fact, there are now so many of these computer voting terminals it's estimated that up to 45 million voters will cast ballots on them next week.

With no less than the presidency at stake, you might think the software behind this technology has been perfected. But, as Correspondent Scott Pelley reports, there's concern about whether bugs in the software could make the computers vulnerable to error and tampering.

More than $300 million is being spent on new machines, but are we any better off than we were four years ago?

Remember 2000? In Florida, angry partisans invaded a county election office. They were forced back in a scene that looked like a country having its first election. No election official in the nation wants to hear this at their door.

On Tuesday, election officials hope to convince voters in much of the country to switch from fists to fingertips and light up their choices on a touch-screen computer.
How are they working so far? "The voters love them. The surveys we've had, as well as other jurisdictions around the country, voters flock to them. They're big print, easy to understand, easy to use," says Conny McCormack, who runs elections in Los Angeles County. She's been using
the terminals in early voting for four years.

McCormack showed 60 Minutes Wednesday some of the advantages. "In Los Angeles, you have a choice of languages [Chinese, Vietnamese, Korean, Spanish]," she says.

There is also a screen that shows the voter his ballot and lets him correct mistakes at the end.

There are about a dozen manufacturers of electronic voting machines, and they all have one thing in common: they record the vote in the computer's memory. But the drawback is there's no way for the voter to verify on paper that his vote was recorded accurately -- there's no paper trail, which worries critics.

The machines are being set up in 29 states, and nearly a third of the nation's voters are expected to use them on Election Day. One of the places they'll find them is Palm Beach County, Fla., which was, in the last election, the home of the hanging chad.

"I think it's going to have a bigger problem than it had in 2000," says Charlotte Danciu, a lawyer whose father, a long-time politician, ran for city council in 2002. It was one of the first elections in which Palm Beach County used the new machines. He lost in an upset, but what upset Danciu even more were the calls she got from voters after Election Day.

"There was this elderly woman on the phone and she's like, 'Miss Danciu, you don't know me, but I kept trying to vote for your dad last night. I kept pushing his name on the screen and the opponent's name kept registering,'" says Danciu. "And they would call over a poll worker, who would do such things as punch the machine, hit the machine, unplug the machine."

Not only that, but in a small runoff election in the same county, with only one race on the ballot, officials came up 78 votes short. Palm Beach County says 78 people who signed in decided not to vote.

"I don't think people would take off from their day and go there with one choice and make no choice," says Danciu. "I think that that's ridiculous. I think these computers did not record the vote."

After the election, Danciu brought in an expert to inspect the machines and she brought a photographer along. When the expert pressed two names at the same time, the computer lit up a third name in the middle. The expert said the machine should "detect that I'm pressing two things."

Election Supervisor Theresa Lapore, who spent $14 million on the machines, complained it was a trick: "You're just trying to trick the machine. Normal persons wouldn't do that."

But the expert was trying to trick the machine. And she did. The maker of these machines, Sequoia Voting Systems, declined to talk with 60 Minutes Wednesday on camera. But the company said it knows about this trait in its system, and the voter can correct any mistakes he makes before recording the vote.

Still, many computer experts are concerned about the software used in electronic voting machines.

"It is not possible for humans to design software that is that complex and is perfect," says David Jefferson, a scientist with the Lawrence Livermore National Laboratory. He's the technical adviser on electronic voting for California.

"Every software application you have ever used in your ordinary life using a PC, you run into bugs all the time," says Jefferson. "Either the software will do something wrong or it will just plain crash. … They [voting systems] have received quite a bit less scrutiny than most of the software that you run every day on your PC."

They have received less scrutiny because the computer makers consider their election software to be a trade secret. Danciu asked to inspect the software from her father's election to see if there were bugs, but Palm Beach County said no.

"They even took the position that if they were to disclose any of it to us, that they would be breaking the law and committing a felony," says Danciu.

"The situation that we are in today is that the voting system software is basically secret, basically a very dark, deep, dark secret," says Jefferson. "That is to say only a very tiny number of people in the United States have been allowed to inspect this software."

The software in electronic voting machines is unbelievably complex, and it's supposed to meet federal standards. But the computer manufacturers don't let just anyone look at it. They pay testing labs to certify the software, and neither election officials nor the public typically gets to see the thousands of lines of computer code that make up the software itself.

That is, until last year, when one version of a voting program leaked out into the public by mistake. Diebold Election Systems, one of the largest manufacturers of electronic voting machines, accidentally put its software on the Internet briefly and Avi Rubin got hold of it.

"Within one hour, we had found some unbelievable security problems, and we knew at that point, our hearts started beating fast, and we knew we were sitting on some kind of time bomb," says Rubin, who is technical director of the Johns Hopkins University Information Security Institute.

Rubin, also a professor with a Ph.D. in computer science and engineering, said the program he saw last year used security software that was obsolete.
How would he characterize the software? "It was far below state-of-the-art. I would say it was just, they had absolutely no idea what security is about," says Rubin.

How difficult would it be to tamper with one of these machines? "I don't think it would take much sophistication," says Rubin. "I think a teenager who meddles with computers and has some programming experience could do it."

Diebold says that the program Rubin saw was two years old, that it's a work in progress, and that it's never been used in an election. Still, Rubin's study was the first public analysis of voter software, and it sent a shock through the states.

As a result, the state of Maryland did its own studies and a Maryland expert was able to pick the lock on a machine, attach a keyboard, and get to the point of changing the votes. The Maryland study concluded there are "considerable security risks that can cause moderate-to-severe disruption in an election."

Maryland decided to go ahead with the machines after Diebold promised security improvements recommended by the state experts.

Still, McCormack says tampering isn't likely in the real world: "Don't you think a poll worker might notice if someone came in and started trying to put, plug in a piece of equipment? I think that would be pretty noticeable in a polling location."

In Los Angeles County, and many other places, they put tamper-evident tape on the machines. They test the terminals to make sure they're working properly and never connect them to the Internet.

But Jefferson, California's state expert, told 60 Minutes Wednesday he worries not so much about hacking into one machine, but the possibility that a rogue programmer could tamper with software and corrupt the votes in thousands of the terminals.

"The electoral weapon of mass destruction, if you will, would be if you were able to modify the software at the source, where the vendors write it, and insert either a bug or some piece of malicious logic that was distributed to every state that used electronic voting machines," says Jefferson. He calls voting a national security issue, and says voting machine programmers should have security clearances.

Would you know if somebody modified the software?

"No. I think the important point is that if you were interested in doing this, you would design it in such a way that it would not show," says Jefferson.

McCormack, however, says that while security could be improved, much of the concern is overblown. "There's no question the security could be enhanced. And I'm not trying to say that it couldn't be and I think that's true in all aspects of our life," says McCormack.

Does she believe that security enhancements on these machines are called for? "I had no problems with them. And so, everything in life could be more secure. Of course it could be," says McCormack. "But the measure to me is whether or not there's been a problem with the accuracy. Have votes been stolen? Have there been any proof of evidence? There hasn't been evidence."

But critics say that's the problem. With electronic voting, there might not be any evidence of tampering. On election night, the computer reports hard numbers, but the question is did anything strange happen in the complex software that lies between the fingertip and the memory chip?

Danciu said there's no way to be sure, because she believes there's no way to do a real recount.

"The Palm Beach supervisor's position was, 'Well, when you push this button, the computer will recount.' Well, it just retabulates and spits out in a nanosecond what it said the nanosecond before. There is no recount. There's no physical evidence to recount."

"You're essentially running the same data through the same software on the same computer, you're gonna get the same answer every time," says Pelley.

"You are gonna get the same answer every time," says McCormack.

Is that a recount? "Oh, I think it's a recount. And you know, do people really want to get a different answer? What we saw four years in Florida was a recount that was done, where people got a different answer, chad fell out and the numbers were different," says McCormack.

"This shocked people. The recount doesn't match, and yet, in electronic, the recount matches and everybody's critical of that. So I don't think there's anything in between. It's either gonna match, or it's not gonna match. There's criticism at either level."

With the election predicted to be close, and up to 30 percent of the vote being cast on electronic terminals, that recount issue may make the computer chip this year's hanging chad.

As a precaution, Nevada is equipping its computer voting terminals with a paper record so that voters can verify their ballots.

Diebold declined an interview, but the company told 60 Minutes Wednesday its equipment is the most accurate and secure on the market, and greatly reduces the errors of older voting machines. The company says it fixed the bugs that were found by Rubin and the State of Maryland. Still, at least in California, there will be old-fashioned paper ballots available for anyone who doesn't want to use the touch-screen machines.