Hacking Diebold
Sacramento activist Jim March takes on touch-screen voting
The dreary hallway outside of Sacramento Superior Court Judge Raymond Cadei’s fourth-floor courtroom was packed with attorneys, activists and reporters—everyone except the two guys responsible for bringing the whole group there from all parts of the state.
The February 18 hearing was for a lawsuit filed by Sacramento activist Jim March, who’s recently become a leading agitator for electronic-voting security. His lawsuit, charging that touch-screen voting machines made by Diebold Inc. are full of holes that “pose a grave threat to the security and integrity of the statewide elections to be held on March 2,” had the potential to throw the election into chaos. Specifically, March wanted the judge to order that the 19 counties using Diebold voting systems be required to add safeguards to prevent tampering.
Secretary of State Kevin Shelley, who also was named as a defendant, issued a statement saying he “appreciates the concerns raised by the plaintiffs and shares many of them” but is only focused on the March 2 election for now. Earlier this month, Shelley issued a directive telling county registrars who use certain machines to take additional security measures. Registrars in 10 counties, however, wrote back to say they refused because the stepped-up security would be too expensive and too much work. The lawsuit filed by March cited the “open revolt” as evidence of the need to “reduce the risk of vote tampering.” Huddled at the end of the hall were four high-priced attorneys for Ohio-based Diebold, which grosses $2 billion a year selling automated teller machines, biometric technology, ID-card systems and other gizmos. Attorneys for several counties that use Diebold machines stood nearby, waiting to argue against any interference in their election processes. Elections watchdog Kim Alexander was there, as was Bev Harris, an author and activist famous for rabble-rousing against Diebold. Jeremiah Akin, a Riverside programmer who runs a voting-security Web site, also showed up. When a reporter asked Akin if Jim March had shown up, he said with a smile, “You’ll know him when you see him.”
Akin was right. Just then, a man in a black cowboy hat, dark blazer, bolo tie, black pants and cowboy boots rounded the corner. At 6-foot-4 and 280 pounds, the mustachioed, bespectacled 37-year-old March was impossible to miss. After 15 years of doing tech support and network administration in the Bay Area, where he grew up in the coastal San Mateo County towns of Pacifica and Half Moon Bay, March moved to Sacramento last year to embark on a new career as a gun lobbyist. He’s a registered Republican with a Libertarian bent. He lives across the street from the Capitol. He wears the brim of his hat pinned back on one side—“For the cell phone,” he said. To demonstrate, he took out his cell, extended the antenna and held it to his uncovered ear.
Handing out a business card, he jotted down his cell-phone number and drew diagonal lines through the zeroes, as a programmer would. The card, whose logo shows a minuteman holding a musket, identifies March as a lobbyist for the Citizen’s Committee for the Right to Keep and Bear Arms, a national group he says is “slightly more radical” than the better-known National Rifle Association.
March was accompanied by his lawyer, Lowell Finley, a Berkeley-based political attorney whose most recent claim to fame was winning a judgment against Governor Arnold Schwarzenegger. Last month, a judge ruled that the governor’s $4.5 million campaign loan violated state campaign-finance law and that it would have to be repaid from Schwarzenegger’s own pocket instead of from contributions. After losing, Schwarzenegger called the decision “fantastic.”
When reporters approached, March dove into his criticism of Diebold. “It’s ugly,” he announced, boasting to TV cameras that he could crack Diebold’s system in 30 seconds. “The security is so bad it can only be deliberately bad.” According to March, the only thing one needs to do to hack into a Diebold data file is to “just cut and paste the password” by opening the file in Microsoft Access, a common database application. March also charges that Diebold customized its software “without proper oversight by the Federal Election Commission.” (Diebold representatives say their systems are safe. In their response, company attorneys dismiss the suit as a “last-minute attempt to disrupt” the election.)
When the courtroom opened, March removed his cowboy hat and took an empty seat between several reporters in the front row, where he sat ramrod straight with his hands folded on a thick legal brief.
March started immersing himself in electronic voting less than a year ago, when someone mentioned Harris in an online political-discussion forum. Harris, who lives in the Seattle suburb of Renton, Wash., gave up her job as a literary publicist last year to concentrate full time on her new role as the country’s leading electronic-voting muckraker. She wrote the book Black Box Voting: Ballot-tampering in the 21st Century and created a Web site, Blackboxvoting.com, where she has gleefully posted thousands of internal Diebold documents that she says are incriminating. By simply using the Google search engine, Harris said, she found 40,000 Diebold files on an unprotected company server. A Diebold employee later leaked to her thousands of internal memos and e-mails.
After March read about Harris in August, he started e-mailing her, and soon they were collaborating, their work driven by their intense distrust of Diebold’s electronic-voting machines. “I read her material,” March recalled, “and said, ‘My God. We’ve got to figure out if this stuff is true.’” Harris later shared with March nearly two gigabytes of information, including program files, some of which he posted on his Web site. March, who learned the art of making public-records requests as a gun activist, became a digger for Harris, searching for voting-system documents. As a computer expert, March taught her about technical issues. In September, March outlined his concerns in a letter that quoted the leaked documents, and then he walked it over to the secretary of state’s office, a block from his apartment.
Harris, who also was listed as a plaintiff on last week’s suit, doesn’t belong to any political party, but she calls herself politically progressive. “Jim and I are on opposite ends of the spectrum politically,” she said, describing her unlikely ally as “quite a character.” She added that March attracts attention because “he’s very flamboyant” and as a crusader is “bold and kind of brave.”
Finley, the political attorney, also became interested in electronic-voting systems last year. When he saw March’s Web site, Finley contacted him last fall. “I said I was interested in this issue and interested in seeing what I could contribute,” said Finley. “With my training and his computer expertise, we could do something together.” March decided to sue, requesting a temporary restraining order that would force counties that use electronic-voting systems to add safeguards recommended to the state of Maryland.
“He’s a very smart guy who’s obsessed with justice and equality,” Finley said of his client, whom he is representing pro bono. “He applies those interests to a number of disparate areas, but I think the consistent thread that runs through it is not wanting to take official denials and brush-off statements at a face value, particularly from public officials.”
Alexander, president of the Davis-based California Voter Foundation, a nonpartisan group, believes that the March’s suit will be the first of many challenges to electronic-voting systems. “This is one of several suits that have been filed across the country in response to computerized voting risks,” she said as she headed into the courtroom last week. “And until those risks are fully addressed, there will continue to be suits like this filed.” Until security issues are resolved, she said, voters in counties with electronic-voting systems should cast absentee ballots.
Like the rest of the country, California rushed to modernize its voting systems after the Florida election fiasco of 2000. But instead of requiring that machines spit out a paper trail that could be audited later, the state allowed vendors to record and tally votes electronically—something Alexander thinks is a huge mistake. Now, there’s no way to tell if touch-screen votes aren’t recorded correctly—or if someone’s screwing with the system. Worse, software used by Diebold and other vendors is proprietary, so it can’t be inspected. Alexander calls it “secret software.”
According to March, there’s another problem. Diebold’s machines run the Windows CE operating system, which must be scrutinized by regulators because it isn’t classified as “certifiable off the shelf” software. Citing the leaked e-mails that he posted on his Web site, March said Diebold didn’t have the proper tests done on Windows CE software running on its machines. In other words, the feds didn’t check Diebold’s code.
In a response filed with the court, Diebold attorneys call that claim “misleading” because federal testers “traditionally” don’t examine Windows CE.
At times, March and Harris do sound like alarmists and conspiracy buffs. But Diebold has done plenty to encourage their suspicions. Leaving the back door to its computer system open was a mistake, and company officials must have been even more red-faced when someone leaked internal memos in which employees chatted blithely about known security problems and about duping government regulators. Worse, the company’s own chief executive officer set conspiracy-theorist tongues wagging last year. In a fund-raising letter to fellow Republicans, Walden O’Dell, a major fund-raiser for George W. Bush, vowed that he was “committed to helping Ohio deliver its electoral votes to the president next year.” It was an unfortunate blunder for the head of one of the biggest makers of electronic-voting machines in the country.
Diebold attorney Daniel McMillan said the company’s systems are secure. He dismissed March and Harris as “activists and conspiracy theorists” who filed suit only as a stunt “to maximize publicity and create as much disruption as possible.”
When the hearing got under way, the judge asked if any clients had told the company about any system failures.
“Not to my knowledge,” McMillan said.
Alexander cursed almost inaudibly to herself, shaking her head. According to Alexander, Alameda County couldn’t count ballots cast in the October recall vote because of what turned out to be a software problem—and that software problem turned out to be that Diebold had installed uncertified software. Some votes were counted for the wrong candidate.
As Cadei questioned the nine attorneys arrayed in front of him, he focused on how a potential decision could affect the March 2 election, in which voting is already under way. “Why are we here two weeks before an election?” Cadei asked. He said he took “great guidance” from the 9th Circuit Court of Appeals’ refusal to order a last-minute halt to the October recall election—an order that, ironically, decided a lawsuit filed by activists who said some voters who used old punch-card machines could be disenfranchised.
After 45 minutes, Cadei announced that he would deny the request for a temporary restraining order. “The petitioners have failed to present any evidence of any actual threat,” he said. “At this point, it’s merely speculative.”
As everyone filed out, March grabbed his hat and turned to leave. “The judge misunderstood what this was even about,” he grumbled. “The judge bought into the county’s line of arguments that it was Armageddon.”
March said he’d keep fighting for better security. He wouldn’t say what his next move would be, only that there would be one. “The real story about what really happened here will come out in the next two months,” he said.