WSJ: Diebold security flaws emerge as electronic voting spreads

October 25, 2004
Anne Marie Squeo
news photo

THE HANGING CHADS and lost ballots of the 2000 presidential-election debacle made it seem a foregone conclusion that modernized, electronic-voting machines would be widely embraced the next time around. And so they will be. But paranoia about stolen elections and security flaws has made Nov. 2 a make-or-break event for the fledgling industry and its biggest player, Diebold Inc.

A leading maker of automated-teller machines and vaults, Diebold rushed into the U.S. electronic-voting market just six days after the November 2000 election. With Congress promising billions of dollars in funds for voting modernization nationwide, Diebold looked like the prime winner. Its stock rose 27% between the Nov. 7 election and the Supreme Court's Dec. 13 decision that made George W. Bush the winner.

Today, Diebold is the biggest provider of electronic-voting machines, with some 48,000 to be used this election in 10 states. But its effort to break into the market has proved to be what the company's chairman and chief executive, Walden O'Dell, has called "a minefield."

Some of the mines:

-- Diebold's secret software for its computerized voting-management system mistakenly ended up on the Internet, where it was found to have numerous security flaws.

-- Mr. O'Dell, a major Republican fund-raiser, committed a highly publicized gaffe by sending a letter to fellow Bush supporters committing to deliver Ohio's electoral votes to the president this year. Ohio is considered a critical state to win in this election and could determine the winner in a close race.

-- In California, the company is the subject of civil fraud charges over its newest voting equipment, the AccuVote TSx, whose battery and software problems during the March primaries caused 55% of San Diego polling places to open at least one hour late. The company had told California officials that one version of its voting machine was within days of federal certification, and it wasn't.

Many states, including Ohio, where Diebold is based in North Canton, have delayed purchases to see how well the machines fare in this election. As a result, the financial payoff is taking longer than expected. Diebold recently cut its estimated quarterly earnings by a nickel a share because of increased costs in this unit, and it lowered its 2004 revenue forecast for the unit to between $75 million and $85 million, compared with $100 million in 2003 and $111 million in 2002.

That's a far cry from Diebold predictions in 2002 that the U.S. election market overall would generate as much as $2 billion in revenue for the next four to five years; Diebold hoped to get a big chunk of that. Yet in one setback, the company hasn't been paid $38 million owed it by California.

Mark Radke, the director of marketing for Diebold Election Systems, attributes the company's setbacks to "a lot of speculation and untruths" spread "by a vocal small minority." In a recent statement, the company added that, "We've navigated through a progressively turbulent learning curve in the voting industry, and would certainly do a few things differently if given the chance."

About 29% of registered voters, or more than 50 million Americans, are expected to use touch-screen voting machines made by Diebold or one of its rivals this November, according to Election Data Services, a Washington, D.C., consulting firm focused on election issues. That's up from 12.6% in 2000.

The touch-screen technology in electronic-voting machines is very similar to ATMs, making the business a natural extension for Diebold. In 1999, Diebold spent $225 million to buy a Brazilian electronic- voting business whose machines had been used in that country's national elections without any problems, bolstering the confidence of Diebold executives.

Worried that the Brazilian machines wouldn't be sophisticated enough for U.S. election officials, Diebold spent $24 million to buy a small Vancouver company, Global Election Systems, that had its own touch- screen voting system. Global's AccuVote-TS system had a few customers in the U.S. and already had initial certifications.

With Diebold's rivals -- Sequoia Voting Systems and Election Systems & Software -- making inroads in Florida, the company moved quickly to target other states. And in March 2002, just two months after Diebold completed the Global Election purchase, Maryland ordered $17 million of Diebold electronic-voting equipment for four counties. Two months later, Georgia signed a $54 million contract to buy 22,000 Diebold machines for the state's 159 counties.

But by 2003, as attention turned to the bitterly partisan presidential election, the security of the machines started to be questioned. Bev Harris, an author researching a book on electronic- ballot tampering, had discovered a cache of files on the Internet written by Diebold's computer-programming staff in Vancouver. Among the files Ms. Harris says she found was the source code, or base layer of software, that enables Diebold's voter-management system to work. Employees were using the Internet site "as an online filing cabinet," says Ms. Harris.

In July 2003, an intermediary passed the source-code file to Aviel Rubin, a computer science professor at Johns Hopkins University in Baltimore, who asked a few graduate students to review the code. Within an hour, they had discovered that the software's encryption system was one "everyone knew was broken since 1998," Mr. Rubin says. That same day, they found the key used to open all the machines was the same -- 1-1-1. Mr. Rubin's verdict: "Diebold's code was absolutely atrocious."

The report set off a firestorm. Only two days earlier, Maryland had awarded Diebold a nearly $56 million contract to provide approximately 11,000 touch-screen voting machines. A week later, the company issued a 27-page retort, asserting that the "alleged scenarios could not occur with an actual election process due to the checks and balances" in the equipment and in accepted election procedures.

Two weeks later, the letter by Mr. O'Dell promising to deliver Ohio to President Bush became public when Democrats in the Ohio state legislature got a copy of it. Even election officials who had awarded the company business were taken aback. "When the chief executive of a company that manufactures voting equipment writes a letter like that it adds not just fuel to the fire but causes an explosion," says Chris Riggall, press secretary for Georgia Secretary of State Cathy Cox.

It took Diebold a month to finally address the issue. In an interview with the Plain Dealer newspaper of Cleveland on Sept. 16, 2003, Mr. O'Dell admitted to being "a real novice on the political side." In June 2004, the company amended its ethics policy to forbid top corporate executives and employees of its election-systems companies from making donations or taking part in other political activities, except for voting.

Still, the bad news for Diebold continued. Two more reports commissioned by Maryland officials found securities risks in the AccuVote system. Its machines experienced a number of problems in California during the March primaries other than those in San Diego that led California Secretary of State Kevin Shelley to decertify all electronic-voting machines, including Diebold's, the next month. In September, California Attorney General Bill Lockyer said he would join a lawsuit filed by Ms. Harris, the author who found Diebold's source code on the Internet, on behalf of the state government alleging Diebold had fraudulently said its equipment had been federally certified when it hadn't. If Diebold settles the case or Ms. Harris wins in court, she stands to get a share of the penalties. A company spokesman said Diebold is working diligently to resolve its issues in California and to rebuild trust in its products.

Company and election officials using Diebold machines say they are ready for Election Day and that most kinks have been fixed. Depending on how the machines perform, there could be a big boom in electronic voting. Many states haven't yet spent their chunk of the $3.86 billion in federal funding for new equipment. A 2002 law requires that all punch cards and lever machines be replaced by the first national election of 2006.

Diebold remains optimistic. "Adoption of ATMs took about 12 years," says Thomas Swidarski, the company's senior vice president of strategic development and global marketing. "Now about 75% of the population uses them, and people can't live without them."

Inside the Booth

In the coming election, registered voters will be using equipment old and
new to cast their ballots.

Paper ballot, read by machine .................. 34.9%
Electronic ..................................... 29.4%
Lever .......................................... 14%
Punch card, including DataVote and Votomatic ... 13.7%
Paper ballot, read manually .................... 0.7%
Mixed .......................................... 7.4%

Note: Numbers don't add up to 100% due to rounding

Source: Election Data Services