October 7, 2005 2:34 PM PDT

Panel: E-voting vulnerable

GAITHERSBURG, Md.--Overlooked bugs and malicious code pose a plausible threat to software on electronic voting machines, a panel of election experts said Friday.

At a conference held by the National Institute of Standards and Technology, part of the U.S. Commerce Department, election officials, computer scientists and academics weighed in on steps that should be taken before, during and after elections to protect the voting systems against software-related problems. Voting has gone increasingly electronic during the past couple of election cycles, but the devices remain without national, uniform security standards.

Keeping electronics systems safe is not just about fending off hackers, members of the panel said.

"All of you running voting systems now are assuredly running software that has bugs in it--presumably in most cases not malicious--but software is buggy," Ron Rivest, a professor at the Massachusetts Institute of Technology, told the audience, composed largely of election officials from various parts of the country.

It's those bugs, the panel suggested, that are probably most likely to blame for irregularities in election outcomes. The problem can be quelled to an extent, the panel said, by insisting on a meticulous, higher-quality approach to software development, by certifying all products, and by openly disclosing the source code used.

The openness of voting systems is fundamental to a democratic system, said Michael Shamos, a Carnegie Mellon University computer science professor who has been a longtime election equipment certifier for Pennsylvania.

"If you spend three hours with a voting system, you can figure out how it works and you can replicate it yourself," Shamos said. "I think we need disclosure."

But the idea of exposing the code to outside eyes--not a new one--has spawned criticism from software industry groups such as the Information Technology Association of America, which say they worry it could breed election fraud.

Being able to account for the software's point of origin is also critically important, said Paul Craft, chief of voting systems certification for the state of Florida. He and others said problems have arisen when election workers didn't install the appropriate certified software on the machines in the first place.

The question that remained was just how realistic a threat malicious, deliberate attacks are--and how difficult they'd be to detect.

Shamos of Carnegie Mellon said he, for one, would bet money that no one, even an "omniscient hacker," could create software that "alters the outcome of an election, but does it in such a clever way that no amount of testing either before, after or during the election can reveal it."

He suggested that a tactic known as "parallel testing" could help detect irregularities. Using that method, select voting machines are discreetly "cordoned off" on election day and used only by a special team of people who pose as normal voters. The testers know in advance what the vote totals are supposed to be for those test machines, and the mock voters' behavior is videotaped, so if the ballot numbers don't match up, the testers know there's something wrong with the software.

Others disagreed with Shamos' reasoning. "It's another fence an adversary would have to jump over, but if he knew about it ahead of time, he could use measures to defeat parallel testing," Rivest said.

Some panelists imagined scenarios in which attackers posing as voters could slip corrupted "smart cards" into electronic voting machines that rely on such media or use a "signal"--say, a series of touch screen presses--that would trigger the software to swap votes to another candidate.

They also expressed concern that, if voting machines were hooked up to wireless signals, someone could sit outside the warehouse where the machines were stored--or simply use a PDA inside the polling place--to transmit malicious software to the voting machines.

The solution? Design the systems with as few additional frills as possible.

"I don't know if I'm going out on a limb on this, but wireless and voting do not mix," Shamos said, drawing applause from the audience.

2 comments

Join the conversation!
Add your comment
Secret innards are the problem
The only balloting system you can trust is one
that can be inspected and audited from one end
to the other. If we use computer-based voting
machines and tabulators, we can't trust them unless
we can inspect the code and we get a paper ballot.
There's nothing wrong with using a computer to
make marking a complex ballot easier, but
the paper ballot has to be the ballot of record,
archived for true recounts.

The current generation of "touch screen" direct
recording electronic (DRE) systems can't do that,
and you can't trust them. It seems plausible
that Ohio was stolen last year, but there is
NO WAY TO KNOW. The Diebold architecture
isn't capable of performing a recount, much
less being audited. The fact that its code
is secret and proprietary just makes things
worse. What they call a "recount" isn't
a recount, it's only a retabulation using the
same garbage data as the first time.
And slapping a printer on the side to print
a "receipt" doesn't make things any better.

There are two solutions. The all-paper system
they use in Canada, but our ballots in the US
are far more complex than theirs and it would
be incredibly slow and expensive for us to
use all-paper. Or we could use computer-
assisted paper ballots as proposed by the
Open Voting Consortium.
<a class="jive-link-external" href="http://www.openvotingconsortium.org/" target="_newWindow">http://www.openvotingconsortium.org/</a>
Posted by clsgis (41 comments )
Reply Link Flag
Secret innards are the problem
The only balloting system you can trust is one
that can be inspected and audited from one end
to the other. If we use computer-based voting
machines and tabulators, we can't trust them unless
we can inspect the code and we get a paper ballot.
There's nothing wrong with using a computer to
make marking a complex ballot easier, but
the paper ballot has to be the ballot of record,
archived for true recounts.

The current generation of "touch screen" direct
recording electronic (DRE) systems can't do that,
and you can't trust them. It seems plausible
that Ohio was stolen last year, but there is
NO WAY TO KNOW. The Diebold architecture
isn't capable of performing a recount, much
less being audited. The fact that its code
is secret and proprietary just makes things
worse. What they call a "recount" isn't
a recount, it's only a retabulation using the
same garbage data as the first time.
And slapping a printer on the side to print
a "receipt" doesn't make things any better.

There are two solutions. The all-paper system
they use in Canada, but our ballots in the US
are far more complex than theirs and it would
be incredibly slow and expensive for us to
use all-paper. Or we could use computer-
assisted paper ballots as proposed by the
Open Voting Consortium.
<a class="jive-link-external" href="http://www.openvotingconsortium.org/" target="_newWindow">http://www.openvotingconsortium.org/</a>
Posted by clsgis (41 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.