Computer scientists have pressed for e-voting paper trails for years, in peer reports and in testimony on Capitol Hill. Now it looks like Congress is poised to ignore this idea: forthcoming legislation will say that a backup "electronic" record is OK too.
Senators Dianne Feinstein (D-Calif.) and Bob Bennett (R-Utah), who lead a Senate committee charged with overseeing election law, said they plan to introduce a bill in the next few weeks that would require voters casting ballots on touch-screen or so-called "direct recording electronic" machines to have the ability to verify their selections through "an independent paper, electronic, audio, video, or pictorial record." That's according to a press release that came out Thursday--a copy of the bill's text is not yet available because it's still being drafted, a Feinstein aide said.
Groups like the Association for Computing Machinery have long advocated for use of "hybrid" systems containing both electronic and paper components, which are designed to enable independent audits and provide a backup record in the event of buggy or hacked voting machine software. Princeton University computer science professor Edward Felten, an ACM advisory committee member who studies e-voting security, said Friday that he couldn't comment on the new bill without seeing more details.
The bill's approach seems to indicate that the senators feel some sympathy toward arguments that paper trails aren't the only option for independently verifying a voter's pick and that other innovative alternatives could emerge down the line. Michael Shamos, a professor of computer science at Carnegie Mellon University and consultant to the Pennsylvania government, is one such skeptic who has argued that paper ballots are susceptible to problems and rigging of their own.
The decision may also be a nod to state and local election officials who have complained about the costs associated with outfitting their machines with paper trails.
The new voting machine requirements would take effect on January 1, 2012, unless a state requested a waiver, which, if granted, would give it until the beginning of 2014.
That new deadline represents yet another delay in getting new federal electronic voting machine rules off the ground. Last year, Feinstein introduced a bill that would have required states to scrap paperless voting machines by this year's presidential election, but at a hearing last summer, she said she'd decided 2010 would be a safer bet, giving voting reform advocates and election officials more time to reach a compromise.
In addition to the new voting machine obligations, the bill would require states to do public audits of their election results. It would also establish certain security requirements for the voting machines and their software and would set up a research grant program designed to encourage development and testing of new technologies for verifying votes.
Feinstein said in a statement that the bill is necessary because "we now have a patchwork of voting systems throughout the country, including five states that use electronic voting systems but have no independent records to help ensure the accuracy and reliability of the vote, and eleven others in which large sections of their states use electronic systems that have no such independent records."
Meanwhile, 30 states already have legislation on their books requiring use of paper ballots in some fashion, according to Verified Voting, a group that advocates for use of paper trails. But other state officials have balked at the potential costs of upgrading their systems, particularly since some subscribe to the belief that providing paper trails isn't a panacea to ballot-tampering, anyway.
Opposition from Republicans and the White House has sparked defeat of a Democratic proposal to reimburse state election officials for converting their electronic voting machines to paper-based systems ahead of November's election.
The U.S. House of Representatives measure, called the Emergency Assistance for Secure Elections Act of 2008, had been called up for what's known as a "suspension" vote on Tuesday. That means in order for it to pass, two-thirds of the House would have had to vote in favor of the bill.
Instead, the bill fell well short of that threshold, garnering a 239-178 vote, with only 16 Republicans voting yes. (Two Democrats voted no.)
Paper or electronic? In the case of the Automark Voter Assist Terminal, it's both. The machine is designed to mark paper ballots for voters with disabilities. (File photo from 2005; in January 2008, Election Systems & Software acquired the assets of Automark Technical Systems.)
(Credit: Automark Technical Systems)Introduced in January by Rep. Rush Holt (D-N.J.), the bill was designed to encourage states to use paper-based balloting systems and to audit their results in exchange for federal funding to finance those ventures. But taking those steps is not mandatory, unlike by Holt and other politicians to require voter-verified paper records in all machines by this fall.
It was Congress that encouraged states to switch to electronic voting machines in the first place, doling out funding through a 2002 law known as the Help America Vote Act, or HAVA for short. But Holt and other bill sponsors say the law must now be revised "to support paperless jurisdictions' efforts to invest in voting systems that are equipped with an independent paper copy of each vote--verified by the voter him or herself--to serve as a check on any electronic tallies reported by the voting machines."
"Although these machines are generally easy to use and, if properly equipped, accessible to voters with disability and language assistance needs, the 2006 election revealed that these machines suffer from an essential flaw: the digital results reported from these machines cannot be audited independently," the bill's sponsors wrote in a report accompanying the bill.
The bill in question doesn't give a dollar figure for how much states would be reimbursed, delegating a federal agency known as the Election Assistance Commission to determine what's "reasonable." But the Congressional Budget Office estimated its implementation would cost $685 million in a single year.
Before the vote on Tuesday, House Republicans railed against that price tag--and said they're not convinced paper is the only solution to ensuring the integrity of elections.
"I think there are other methods of achieving redundancy," said Rep. Vernon Ehlers (R-Mich.), ranking member of the House Committee on Administration, which oversees election-related legal matters. He added that "hand counting is not as accurate as almost any machine counting that I have seen."
The White House also put out a statement (PDF) urging the bill's defeat, calling it "largely redundant with existing law, and therefore unnecessary." The White House also argued the bill authorizes "excessive spending," noting that about $3 billion in federal grants have been allocated to state election officials since 2002, with more than $1 billion in unspent funds remaining.
Holt, for his part, attacked the cost-related objections. "I note that many people who opposed this legislation supported spending almost $330 million in recent years to provide election assistance in Iraq, Afghanistan, and Pakistan," Holt said in a statement. "I would have hoped those who supported efforts to export democracy abroad would be equally committed to strengthening democracy here at home."
It was not immediately clear what would happen next with the bill. Even if it had passed the House, it might not have gone any further this year. On the Senate side, Sen. Dianne Feinstein (D-Calif.), who serves as chairman of a committee that oversees election law changes, said last year that she didn't expect any major changes to be required until 2010.
Elections departments around the country have spent millions on electronic voting systems that are flawed and officials aren't about to throw them out and start all over. The only solution is to conduct audits to verify the count after every election, a researcher and expert on electronic voting said at RSA 2008 on Thursday.
David Wagner, computer science professor at University of California, Berkeley, led a state of California-commissioned study last year of the three major electronic voting systems. The study found serious vulnerabilities in each system that would allow someone with access to just one of the machines to spread a virus that would infect all the other machines in the system and essentially control the outcome, he said in a panel discussion electronic voting.
The systems have architectural weaknesses, implementation flaws, and defects, similar to problems in commercial software that isn't designed with security in mind, according to Wagner.
"This puts our election officials in a terrible position," he said, adding that officials are stuck using the machines. As a result, audits are the only solution.
The audits should be public and they should be done automatically, as they are in California, which requires a paper trail, Wagner said. He praised the California audit methodology in which paper ballots are manually counted in a random sample of precincts.
Other researchers are coming to similar conclusions. At a conference in February, Princeton graduate student J. Alex Halderman suggested using machine-assisted auditing. And Ronald Rivest, professor of electrical engineering and computer science at MIT, said during a cryptographer's panel on Tuesday at RSA 2008 that voting systems should not depend on the software to capture the vote, but use paper or some other means.
The problem is, not every state that uses electronic voting equipment has a paper trail and many states don't do audits, even if they have paper ballots to count, Wagner said.
Hugh Thompson, chief security strategist at corporate security training firm People Security, who has researched flaws in e-voting systems, was pessimistic about whether audits will be widely adopted any time soon.
"If an election is close, in a lot of cases an audit, even if you have a paper trail, isn't conducted," he said. "In Florida, the election officials told us at the time that (in the event) they were suspicious, they didn't have authority to institute a recount."
On February 16th fellow CNET blogger Robert Vamosi wrote an item headlined "With improvements, e-voting could be good, says researcher." I think that e-voting is a very bad thing and that no "improvements" will ever convert it to a good thing. But I'm not an expert on the subject, so I asked Rebecca Mercuri, a specialist in computer security and electronic voting, if she would like to respond to the claim made by the "researcher" in question. Mercuri has appeared many times on the Personal Computer Show to discuss electronic voting, which is where our paths previously crossed. Her response is below.
Electronic Voting and Partial Audits -- Let's do the Math
Guest blogged by Rebecca Mercuri
www.notablesoftware.com
I did not attend ShmooCon 2008, but I found Robert Vamosi's synopsis of J. Alex Halderman's talk rather curious. I'm sorry to hear that Dr. Felten was ill, but it's dismaying to hear a report of yet another of his Princeton mentees extolling the praises of a hypothetical future crop of acceptable electronic balloting or counting machines.
Keep in mind, I'm actually a long-time Felten fan who stepped up to his defense a while back, when he was inappropriately trashed by an article in the Chronicle of Higher Education. Felten and his students are well known for their efforts over the years in exposing the vulnerabilities of electronic voting and tabulation equipment.
First, there was the now infamous 2003 report "Analysis of an Electronic Voting System"
The Feldman/Halderman/Felten paper noted the following main findings:
- "Malicious software running on a single voting machine can steal votes with little if any risk of detection..."
- "Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software..."
- "...machines are susceptible to ... computer viruses that can spread malicious software automatically and invisibly from machine to machine..."
But the fact remains that the field of computer science has not changed significantly in the last two years, nor is it expected to change any time in the foreseeable future, such that the currently unsolvable problems in the field that underlie these findings for all electronic voting and tabulation systems will miraculously vanish.
The problems I am talking about are those that involve computational complexity of the sort that make it infeasible to determine whether any computer is really doing what it is supposed to do, doing it correctly, and doing nothing else. Combine these issues with the insider physical access to voting systems, plus the secrecy of the ballot that precludes end-to-end auditing, and you have a problem meritorious of the Nobel Prize in Computer Science (of which there currently isn't one awarded, but there should be if these matters are ever fully mitigated).
Seeing as how the complexity of the issue itself is not even known to be solvable (view my comments on this topic at Harvardmagazine.com/2004/11/voting-into-vapor.html), the idea that "once the e-voting vendors improve their systems" (even if they were willing to do so, of which we have seen no evidence yet) they will somehow be ready for prime time, is simply ludicrous.
But Halderman is not alone in his cloying defense of e-voting among Felten's illustrious descendants. I and many others abandoned the ballot-behind-glass paper add-ons (sometimes known as the "Mercuri Method") back in 2003 after observing (even despite personal protest) how the vendors inappropriately designed these products such that denial-of-service attacks could be masked within a preposterous failure rate of upwards to 10 percent. Yet Avi Rubin waited until 2007 before disavowing e-voting, saying (to a U.S. House Subcommittee) "I now believe that a DRE with a VVPAT is not a reasonable voting system."
Editors note: A DRE is a Direct Recording Electronic voting machine. Simply put, electronic voting. A VVPAT is a Voter Verified Paper Audit Trail. Simply put, the ballot printed by a electronic voting machine. It is not a receipt, that is, it is not something the voter takes with them.
Rubin went on to say that he was (finally) endorsing "paper ballots with ballot marking machines for accessibility and precinct optical scanners for counting--coupled with random audits." But we know from numerous recent studies of optical scanners (first in Florida by Hursti, then in California where Felten's team was involved, and later in Ohio) that the optical scanners are also riddled with the same software-based vulnerabilities that affect the DREs. At least with hand-prepared paper ballots there is something to manually count. Notice I said COUNT, not audit. And here's where Felten's clan gets it wrong again.
According to the Vamosi article, at the hackers event, Halderman apparently described a method whereby only 1,000 votes for the winning candidate needed to be audited in a million vote race where 1 percent of the votes decided the winner. Let's do the math: If the race is 50.5 percent to 49.5 percent and you need to change half of the difference (0.5 percent or a little more than 5,000 votes) from one candidate to another, then any randomly selected handful of votes of the winner would likely have about 1 percent bogus votes in it. So, using Halderman's example, out of 1,000 votes for the winner, you might then expect to find around 10 that should have gone to the loser. As it happens, 10 flipped votes is small enough to be shrugged off as a "clerical error" by the election officials (as we've observed in the recent New Hampshire primary recount, where hundreds of vote variations were detected).
Halderman's audit method (which I have not yet seen described other than in the CNET article, though it is likely similar to other proposed partial audit methods) becomes more dubious when you consider a real election scenario. There's typically a few third-party candidates and also the mysterious "undervote" rate that is usually explained away by "people choosing not to vote in that race" (sometimes in astonishing numbers, but typically about 5 percent of ballots cast). These undervotes are entirely indistinguishable from the vote counting system siphoning off a few votes here and there in order to achieve a desired result.
So let's factor this in as follows: one million votes, 465,000 to the winner, 455,000 to the first runner-up (1 percent of the votes decided the winner), 30,000 votes to the 3rd party candidates, and 50,000 undervotes (a 5 percent undervote rate). Now you have THREE places to bury votes--ones given to the winner that should have gone to the loser will count double (since they have to be subtracted from the winner as well as added to the loser), plus the 80,000 votes in the 3rd party candidate and undervote counts. Problem is, you don't know which ballots were counted as "undervotes" by the computer, where actually a legitimate vote had been recorded, without pulling all of the undervoted ballots out and seeing if their hand-counted total precisely matches the number of undervotes that the machines reported.
Basically, the likelihood of detecting 10 easily-dismissed, instances of vote tabulation fraud by counting only 1,000 of the winner's votes may be nil (especially if the thieved votes are mostly buried in the third party and undervote counts). You also have to consider the fact that the bogus votes are probably not going to be evenly distributed, but will likely clump up in particular precincts, thus making detection far less probable than what is typically theorized by many partial audit proponents. And we haven't even discussed the issue of county or municipality consolidation of vote totals, another highly vulnerable insider-managed process that requires independent reconciliation with the precinct counts.
What I'm saying is that VVPAT/DREs and partial audits (even of optically scanned ballots), despite the misplaced claims of some of Ed Felten's students, do not provide sufficient assurances to resolve the multitude of election integrity issues that we know are present with computerized voting and ballot counting.
Democracy is ill-served whenever quick-fixes are proposed that are not based on sound theoretical underpinnings combined with a decent understanding of election administration risks. If the inevitable answer is to publicly hand count all of the paper ballots on election night, then let's immediately start looking for ways to transparently apply good technology solutions to ensure that ballots and their subsequent vote totals are not damaged, altered, removed or replaced, along with instituting comprehensive security controls, rather than continuing to promote palliative shortcuts that run considerable risk of providing false validations of unjustified victories.
See a summary of all my Defensive Computing postings.
With this year's presidential race in full swing, it's easy to forget about alleged electronic voting glitches that snarled at least one congressional contest in 2006.
But a report issued by government auditors this week is drawing new attention to what many computer scientists view as the perils of touch-screen machines that don't produce a paper record.
It all goes back to the November 2006 election in Sarasota County, Fla., where more than 18,000 of the county's ballots--or, put another way, 1 in 7 voters--didn't register a pick in the U.S. House of Representatives race. County officials went on to certify Republican Vern Buchanan as the winner by a 369-vote margin over Democrat Christine Jennings, who went on to lodge legal challenges.
The arguably abnormal undervote prompted concern from voting rights advocates about the possibility of glitches in the Elections Systems & Software iVotronic voting machines used in the race. (Florida has since announced its intention to ditch the touch-screen voting machines.)
Now government investigators appear poised to put the events behind them. A Government Accountablity Office report (PDF) released Thursday contends a series of tests staged last fall demonstrate that nothing was amiss with the voting machines themselves.
"Although the test results cannot be used to provide absolute assurance, we believe that these test results, combined with the other reviews that have been conducted by the State of Florida, GAO, and others, have significantly reduced the possibility that the iVotronic DREs (Direct Recording Electronic machines) were the cause of the undervote," the GAO wrote. "At this point, we believe that adequate testing has been performed on the voting machine software to reach this conclusion and do not recommend further testing in this area."
And on Friday, the U.S. House of Representatives task force that had commissioned the report voted, based on those conclusions, to recommend ending its investigation and Jennings' legal challenge to the results. A vote scheduled for next week in the House Committee on Administration is likely to make that decision final.
"This investigation served a critical role in fulfilling the House's constitutional responsibility when seating members of Congress," said Rep. Charles A. Gonzalez (D-Texas), who served as task force chairman.
End of story, right?
Hardly, if you ask computer scientists who study electronic voting machines.
The Verified Voting Foundation, a group founded by Stanford University computer science professor David Dill that advocates for paper trails accompanying all electronic ballots, argues the GAO's test methods were "insufficiently ambitious" to determine whether the machines were at fault.
To reach its conclusion, the GAO set up three tests: checking the firmware on a representative sample of machines to gain "reasonable assurance" that machines had been running the correct, certified programs on the contested election day (they did); seeing whether predefined test ballots showed up properly and recorded votes accurately on 10 iVotronic machines (they did); and "miscalibrating" two iVotronic machines to see whether they would still record the ballot selections displayed on the screen (they did, for the record, although with some difficulty on the part of the test-voter).
But the Verified Voting Foundation says the auditors should have also explored a number of other areas, such as internal bug data, firmware on the "cartridges" that are inserted in the machine to record a voter's ballot, and equipment manufacturing quality.
"The GAO tests add little to what we already knew," said Princeton University computer science professor Edward Felten, who has authored reports on e-voting vulnerabilities. "There is still insufficient evidence to determine what caused the undervotes."
Dill maintains his group isn't trying to criticize the GAO but wants to highlight how difficult it is to sort out election irregularities in a contest relying solely on complex computer systems. By Verified Voting's count, five states were still using paperless electronic voting systems on Super Tuesday--Arkansas, Delaware, Georgia, New Jersey, and Tennessee.
"Had this election been conducted on a voter-verified paper ballot system, as in surrounding counties that form part of District 13, it probably would not have failed," he said. "More to the point, it would have been a lot easier to find out what happened."
In any case, Jennings, for her part, plans to challenge Buchanan for his seat again this year.
New Hampshire officials on Friday said they'll conduct a statewide hand recount of the results of Tuesday's primary in response to complaints from two underdog candidates. The last time New Hampshire conducted a statewide recount in a presidential primary was in 1980.
Dennis Kucinich, the Ohio Democratic congressman, and a Republican contender named Albert Howard, whose Web site proclaims "The Angel of the Lord told me in January of 1992 that Hillary Rodham Clinton and I would meet and be running against each other and that she would lose," will be expected to bear the costs of the recount, which is scheduled to begin Wednesday.
The exact price tag was still being determined, New Hampshire Secretary of State William Gardner said in a statement (PDF).
According to published reports, Kucinich requested the recount because of possible vote count "irregularities"--specifically, differences in results for Hillary Clinton and Barack Obama between ballots that were hand-counted--typically in smaller precincts--and ballots that were counted using a machine. Most New Hampshire voters use Diebold optical-scan machines, in which voters pencil in their choices on a piece of paper that's fed through a machine, SAT-style.
Some activists have suggested that because the numbers show that Clinton fared better in machine-counted areas, the machines were somehow hacked in her favor. The blogosphere has helped to fuel the controversy, with one Ron Paul supporter posting a painstaking breakdown of numbers from hand-counted versus machine-counted locales. (He says he's not out to push any agenda--except "that the voters on both sides be accurately represented.")
At least one computer scientist who has weighed in frequently on e-voting security issues, Princeton University Professor Ed Felten, has said the more likely explanation is demographics, not digital mischief.
According to unofficial results recorded by the Secretary of State's office, Howard received 44 votes, and Kucinich received 3,901, which represented about 1.4 percent of the total. Hillary Clinton and John McCain respectively racked up 39 and 37 percent of the Democratic and Republican vote.
"This recount isn't about who won 39 percent or 36 percent or even 1 percent," the Ohio congressman said in a recent statement. "It's about establishing whether 100 percent of the voters had 100 percent of their votes counted exactly the way they cast them."
Glitches in touch-screen electronic voting machines without paper trails tend to rack up the most attention these days. But an irregularity over ballots marked by hand and scanned by a computer like standardized tests--known as the "optical-scan" approach--is poised to create a snafu in upcoming mayoral elections in San Francisco.
Illustration of an ES&S optical-scan ballot
(Credit: California Secretary of State)According to a San Francisco Chronicle report on Wednesday, there's concern among state officials that "less-sensitive" scanning machines at polling places across the California city won't be able to pick up ballots marked with anything other than a No. 2 pencil or a special pen provided by the voting machine manufacturer, Election Systems & Software (ES&S).
For that reason, California Secretary of State Debra Bowen has decreed that the ballots cast during the election on Nov. 6 can only be counted using machines at the election headquarters--which, according to the city's election chief, officials will only be able to count about 10,000 ballots each day.
Considering more than 270,000 votes were cast in the last mayoral election, the special process could delay release of a final tally by weeks.
The latest news could prove a wake-up call for folks like Sen. Dianne Feinstein (D-Calif.), who have sung the praises of optical-scan systems because of the paper trail they leave behind. As the situation in San Francisco illustrates, even those machines aren't foolproof and beg for robust audits afterward.
Bowen's move is part of an ongoing dispute with ES&S over the reliability of its machines, according to the Chronicle. In late August, she issued a statement suggesting ES&S had misled four California counties and San Francisco into buying nearly 1,000 machines that hadn't been certified in the state.
She reportedly sent a letter to the Omaha, Neb.-based firm last week that accused the company of failing to fix problems that have been flagged in the past. Earlier this year, Bowen commissioned a top-to-bottom review of the state's voting systems and, displeased with the findings, ultimately imposed new conditions on all machines used in California precincts.
A Democratic-backed contingent in Congress is still hoping to enact a requirement that all electronic voting machines used in next fall's presidential elections produce voter-verified paper trails, but a bumpy road lies ahead.
Elections officials supervise voters using the high-tech voting gear at Sinclair Elementary School in Prince William County, Va., in November 2006.
(Credit: Karen Bleier/AFP/Getty Images)The U.S. House of Representatives Committee on Rules met on Wednesday to begin discussing H.R. 811, the Voter Confidence and Increased Accessibility Act of 2007, but never reached an agreement on how to proceed with the bill. They were supposed to meet again on Friday morning, setting the stage for a vote as early as Monday, but that meeting was canceled.
As Congressional Quarterly reports, that means a vote won't occur until at least the week of September 17 (next week will be shortened for Congress because of the Rosh Hashanah holiday)--if then. Local officials, and in particular the National Association of Counties, have mounted intense opposition to the bill and took the postponements as a positive sign for their cause. They believe the bill establishes an unrealistic timetable and doesn't set aside enough money to help them implement the changes.
The bill would generally require all voting precincts nationwide to conform to the new requirements in time for the federal elections in November 2008. The bill sets aside an extra $1 billion to help states get their systems in order, but opponents say that's still not enough. Although 30 states already require a paper record, not all of them have put those changes into place yet.
In addition to the paper record mandate, the bill also proposes a number of new security obligations, such as a general ban on any wireless technology in the machines and on connecting devices used to record or tabulate ballots to the Internet. Only equipment preapproved by accredited test laboratories would be eligible for use in federal elections--a move aimed at keeping potentially flawed software from being slipped in at the last minute. And audits would have to be conducted in all federal elections unless a seat up for grabs was uncontested or a candidate had received more than 80 percent of the vote.
A number of public-interest and voter advocacy groups support the bill, chiefly sponsored by Rep. Rush Holt (D-N.J.), because they believe adding a paper trail to the e-voting process is the only way to perform reliable audits of elections and to assure voters their ballot has been cast as they desired. Some have conceded the Holt proposal isn't perfect--arguing, for example, that it doesn't have a robust enough requirement that voting machine source code be disclosed for inspection--but nonetheless say it's an important step forward.
It's a multifaceted issue, to be sure: Even a paper trail can present privacy and security concerns, as demonstrated by a study in Ohio that CNET News.com reported last month.
A recent report documenting computer scientists' ability to hack into voting machines certified for use in the state of California has already begun reverberating on Capitol Hill.
Sen. Dianne Feinstein (D-Calif.), who happens to be one of the chief sponsors of a bill that would prohibit paperless voting machines by the 2010 federal elections, says she plans to hold a hearing in September on the report in the Senate Committee on Rules and Administration, which she leads. The politicians are expected to break for the summer at the end of this week.
In a statement Tuesday, Feinstein expressed dismay at "how easily these machines could be hacked into and election results distorted," based on her reading of the report.
"The findings are yet another reason that states and counties should consider a move to optical scan machines that provide an auditable, individual
The study, commissioned by California Secretary of State Debra Bowen, focused on machines made by Diebold Election Systems, Hart InterCivic, and Sequoia Voting Systems. The University of California researchers who conducted the testing rattled off a list of security weaknesses they were able to exploit in each of the machines--although they didn't attempt to quantify how difficult it was to carry out the hacks.
Forgive me if this isn't some major news flash, but let's document it for posterity anyway: University of California computer scientists have recently shown it's possible to carry out a bevy of hacks on electronic voting machines currently certified for use in the Golden State.
In reports released late last week, the researchers chronicle their five-week endeavor, at the request of California Secretary of State Debra Bowen, to exploit examine machines made by Hart InterCivic, Sequoia Voting Systems and Diebold. The same models are also in use in many other states, according to a database compiled by the Election Reform Information Project.
Their conclusion? "The security mechanisms provided for all systems analyzed were inadequate to ensure accuracy and integrity of the election results and of the systems that provide those results," wrote principal investigator Matt Bishop, a computer science professor at the University of California, Davis. (Click here for a PDF of that report.)
In each case, the testers were able to overwrite at least some of the firmware used on the machines and replace it with malicious programs--which, at times, could alter the recording, reporting and tallying of votes.
There were other flaws as well. With the Diebold AccuVote-TSX system, they found that a "well-known static security key" was used by default on the machine. On the Hart eSlate machine, the testers succeeded in remotely capturing the audio from an audio-enabled vote session, which poses a potential violation to a voter's privacy.
The researchers were quick to note that they didn't attempt to quantify how difficult or plausible it would be to pull off the attacks. Most of the attacks could be prevented by better physical security surrounding the devices, staff training and contingency planning. The testers also said their study would have benefited from additional time and that they were denied all the code and information--in particular, from Hart representatives--needed to conduct thorough scrutiny.
The Secretary of State planned to hold a public hearing on Monday in Sacramento to receive feedback on the reports from the voting machine vendors subject to the tests and from public commenters. California must act on any changes to its 2008 election equipment by Friday.
Sequoia, for its part, put out a press release that criticized the study's approach. The company said it concluded "none of the threats outlined represent a realistic threat if the normal, procedural mitigations are in effect."
The findings are likely to fuel an ongoing Capitol Hill debate over whether to ban the use of electronic machines that lack paper trails. According to a recent New York Times report, sponsors of such an effort in the House of Representatives are hoping to pass a compromise version--requiring the paperless machines to be scrapped by 2012 instead of 2008--before Congress departs for its August recess at week's end. The Senate, however, appears to be moving more tentatively.
But the California findings suggest the paper trail requirement may not be a cure-all by itself: the testers, after all, were also able to manipulate the paper receipts produced by touch-screen machines in the Diebold and Hart machines.
- prev
- 1
- next
