Will Your Vote be Counted? Not Necessarily, says Princeton Team

Nov. 7, 2006— -- This is the day when, in the privacy of the voting booth, you help choose our leaders. When you close the curtain behind you, you expect the person you choose will get your vote. Right?

Not necessarily, said Edward W. Felten.

Felten, a professor of computer sciences at Princeton, began a furor in September by hacking into the electronic voting machines that were designed to prevent election fraud.

Felten and two Princeton graduate students, Ariel Feldman and Alex Halderman, created a computer virus that they said could "steal" votes from one candidate, give them to another -- and go undetected.

"You have to be a good programmer -- not a genius -- to do this," said Halderman. "I believe a good programmer could reproduce our virus without very much effort."

"I hope our work has created some momentum toward more secure voting," wrote Felten in an email to ABC News. "In the current election, we're hoping for the best. In the future, I hope we'll have more safeguards in place."

About 80 percent of voting in the United States is now electronic. Felten and his team targeted the most commonly used electronic-voting machines in the United States, the Diebold AccuVote-TS series.

The AccuVote machines are small desktop computers with touch screens. They can print out their results, but the totals on Election Day are meant to be recovered electronically -- the better to ensure accuracy. The Princeton team was given a machine by someone, they said, who prefers to remain anonymous.

Washington vs. Arnold

The computer virus -- written by graduate student Feldman over the summer -- was stored on a memory card, which they said could be inserted into a Diebold machine by opening a small locked hatch or unscrewing the machine's bottom cover. The team said either could be done in a minute or two -- adding that election workers might often have access to voting machines.

To illustrate their point, the team did a demonstration for Princeton's computer science department. They invited colleagues to vote in a mock presidential election -- George Washington vs. Benedict Arnold. No matter how people actually voted, Arnold won every time.

"We found that the machine is vulnerable to a number of extremely serious attacks that undermine the accuracy and credibility of the vote counts it produces," wrote Felten, Feldman and Halderman.

Diebold Responds

Diebold Election Systems, based in Allen, Texas, said the study was flawed, targeting software that is two generations old. "Normal security procedures were ignored," Diebold said in a statement. "Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit. A virus was introduced to a machine that is never attached to a network.

"By any standard -- academic or common sense -- the study is unrealistic and inaccurate," said Diebold. "Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day."

"That's what they were saying a few years ago," said Princeton's Halderman. He said he would very much like to study Diebold's newer machines and software. "We expect, and fear, unfortunately, that if we were to examine the newer version of the software, we could find similar problems."

Felten reported in his blog that over the weekend he came across unattended voting machines near his New Jersey home, machines that, he argues, could have been compromised without anyone seeing him. "I wasn't looking for voting machines in this location, not knowing that it served as a polling place, but the machines were pretty hard to miss," he wrote.

If that is so, what's the best way to ensure honest elections? The Princeton team suggests that high-tech be backed up by low-tech -- that after you vote you get a paper printout to put in an old-fashioned ballot box.