February 17, 2006 4:01 AM PST

Voter databases must be secured, report says

American history does not lack political entrepreneurs who invented novel ways to manipulate the results of elections, from Tammany Hall in the 19th century to Richard Daley's Chicago Democratic machine a century later.

But those party bosses never dreamed of computerized databases of voter records that would be vulnerable to even more stealthy and undetectable forms of manipulation by political operatives. Such centralized databases are now mandated by a federal law, and state election officials are scrambling to digitize reams of paper documents to meet its deadlines.

A professional organization of computer scientists warns, though, that state election officials may not have taken proper security precautions to guard against fraud. In a report released Thursday, the scientists call for more aggressive steps to protect the security, privacy and reliability of those databases.

"Nobody's done this kind of analysis," said Barbara Simons, an author of the report and past president of the Association for Computing Machinery. "We're not out to criticize anyone. We're out to try to provide information."

The 60-page report (click here for PDF) recounts security and usability techniques known to computer scientists for decades, but often not well-understood by state election officials and bureaucrats who have been tasked with designing massive databases of millions of registered voters.

Twenty-eight states have chosen to award contracts for the databases to outside vendors such as Diebold, ES&S, and Accenture, while 21 states have chosen to develop the databases on their own, according to Electionline.org, a project sponsored in part by the Pew Charitable Trusts. (New York had not decided and North Dakota does not have voter registration.)

The Help America Vote Act of 2002 (HAVA) orders each state to create a "single, uniform, official, centralized, interactive computerized statewide voter registration" database that will be linked to other records such as ones stored by motor vehicle agencies. HAVA does say the database must be protected with "adequate technological security" but offers no details and fails to require encryption, for instance. The extended deadline was January 2006, but many states have not complied.

HAVA was enacted as a result of the disputed 2000 presidential election, which spotlighted dubious political practices such as a purge of more than 50,000 alleged felons from Florida voting rolls who may have been eligible to vote. Also, the New York Daily News reported in 2004 that about 46,000 New Yorkers are registered to vote in New York City and Florida and some have voted twice.

Unless proper authentication practices are followed, security flaws could permit hackers to insert fraudulent names into voter databases or delete names of eligible voters. "Since there are many ways that an attacker might try to subvert the system, one needs processes that encourage secure system design and detect and close significant vulnerabilities," the ACM report says.

Privacy is another topic that ACM singles out for attention. Although laws may vary, all states permit voter registration data to be sold for political purposes such as campaigning and direct mail. But 20 states and the District of Columbia also allow unrestricted access for commercial purposes such as marketing, according to the California Voter Foundation.

A recent report (click here for PDF) prepared by the National Association of Secretaries of State says that only 24 states were expected to comply with HAVA's database creation requirement by the Jan. 1, 2006 deadline. Most of the remainder, however, expect to have their databases in place by the fall 2006 elections, the association said.

See more CNET content tagged:
Diebold Inc., deadline, election, state, scientist

5 comments

Join the conversation!
Add your comment
I Hope they all....
Get it done and in place in time for the elections this fall. Which states have not complied yet? How close are they to being secured? Why are they not done yet? When I go to vote, I damn sure want to know that someone is not going implement something that I have/have not input. What is the sense of voting when someone can change the results??!!
Posted by Eskiegirl302 (82 comments )
Reply Link Flag
Incompetent federal-state division of tasks
Many counties and states rushed to buy new machines for their voters before the federal standards were even in place. These public entities were promised products that would meet the federal and state certification proceedures when they were devised. The companies have had trouble meeting these standards, except where the standards were written to fit the equipment! A two year extention of the deadline would allow companies to meet the deadlines without cutting corners. No such extension is expected from Congress, so watch out for fraud in the next election cycle.

Some of the pink-collar workers who have made these million dollar decisions seem to have relied entirely on the sales force information to make their decisions. No outside research at all! (I wouldn't even buy a computer for home that way.) Other decision makers are political appointees who are mainly concerned with delivering the votes to the party which put them in office.

The Data-Vote system was 70's technology that continued to work when maintained properly. Some of the punch card systems (including the "Butterfly Ballot") didn't work because they had not been cleaned out after elections - for thirty years. Office paper punches need to be cleaned more often thatn that. The Data-Vote system is no longer supported by the manufacturer, so my county must buy something that is.
Posted by Fogwatcher 18 (1 comment )
Link Flag
College professors should stick to teaching
Unfortunately we still have a boatload of people who never left school for the real world, and just because they have DR in front of their name, think that everyone should drop to their knees when they speak. The "problems" with voting systems are the same kind they ran around panicking about during the Y2K scam (remember how life as we know it was going to cease on 1/1/2000?). These self-serving "experts" use these issues to gain notoriety, gain speaking honorariums, and gain publishing deals to feed their already massive egos!

I'd prefer they go back to the ivory towers of academia and ponder why it is that if they are so well respected, they are paid so poorly. Remember, those that CAN do, those that CAN'T teach...
Posted by HarDrive (1 comment )
Reply Link Flag
Protecting Democracy
I think the same Federally mandated technology that protects our depositors accounts could be used. That is four factor authentication with offline voting ID readers to bring privacy and accuracy to us. That's what I think. Ciao now.
Posted by Iohagh (54 comments )
Reply Link Flag
Duuuuuhhhh! This is a no-brainer!
This is definately a NO-BRAINER!!!

What I would like to know is:

WHY IN THE WORLD HAS "Nobody's done this kind of analysis," YET???

I would love to see a follow-up story with the answer(s) to that question!

Have these people never heard of database manipulation? Are they not aware of all the ways to manipulate the data... including a tainted Operating System?

Walt
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.