Sept. 15, 2006 -- When you walk into a voting booth and close the curtain behind you, you know which candidates you like, and you expect the people you choose will get your vote. Right?
Not necessarily, says Edward W. Felten, a professor of computer sciences at Princeton University who has made a career in recent years of poking holes through computer security.
In 2001, Felten raised hackles in the music industry by showing how hard it was to keep a recording from being copied. He's written software to show how easily private computer networks can be breached.
And now he's violated the sanctuary of the voting booth by hacking into the electronic voting machines that were designed to prevent election fraud.
Felten and two Princeton graduate students, Ariel Feldman and Alex Halderman, created a computer virus that they say could "steal" votes from one candidate and give them to another -- and go undetected.
"You have to be a good programmer -- not a genius -- to do this," Halderman said. "I believe a good programmer could reproduce our virus without very much effort."
Felten and his team targeted the most commonly used electronic voting machines in the United States, the Diebold AccuVote-TS. In November, almost 10 percent of American voters will find the TS or a similar model, the TSx, in the booth when they go to the polls. About 80 percent of voting in the United States is now electronic.
The AccuVote machines are small desktop computers that include a touch screen. They can print out their results, but the totals on Election Day are meant to be recovered electronically, the better to ensure accuracy.
The Princeton team was given one of these machines by someone, they said, who prefers to remain anonymous.
Washington vs. Arnold
The computer virus, which graduate student Feldman wrote over the summer, was stored on a memory card that they said could be inserted in a Diebold machine by opening a small locked hatch, or unscrewing the machine's bottom cover.
The team said either could be done in a minute or two, adding that election workers might often have access to voting machines.
To illustrate its point, the team did a demonstration for Princeton's computer science department. The team invited colleagues to vote in a mock presidential election -- George Washington vs. Benedict Arnold. No matter how people actually voted, Arnold won every time.
"We found that the machine is vulnerable to a number of extremely serious attacks that undermine the accuracy and credibility of the vote counts it produces," wrote Felten, Feldman and Halderman.
Diebold Election Systems, based in Allen, Texas, said the study was flawed, targeting software that is two generations old.
"Normal security procedures were ignored," the company said in a statement. "Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit. A virus was introduced to a machine that is never attached to a network.
"By any standard -- academic or common sense -- the study is unrealistic and inaccurate," the Diebold statement said. "Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day."
"That's what they were saying a few years ago," answered Halderman from Princeton. He said he would very much like to study Diebold's newer machines and software. "We expect and fear, unfortunately, that if we were to examine the newer version of the software, we could find similar problems."
If that is so, what's the best way to ensure honest elections? The Princeton team suggests that electronic voting be backed up by paper receipts -- that after you vote you get a printout to put in an old-fashioned ballot box.