Jury still out on e-voting

Three years after the Florida election results debacle, electronic voting machines remain largely untested and controversial.

Legislation that could add voter-verified paper ballots to controversial touch-screen electronic voting machines remains stalled in a House committee, despite 61 cosponsors.

More and more election authorities are buying the machines, which are made by several companies. They are spurred by the Help America Vote Act of 2002 (HAVA). The law provides funding to replace outdated punch card and lever systems in an effort to avoid repeating the Florida chad controversy that kept the 2000 presidential election in limbo for weeks.

Touch-screen machine glitches caused some problems in the Nov. 4 elections. In Virginia, the Fairfax County Republican Committee filed a suit Nov. 4 challenging the validity of some votes after several malfunctioning machines were taken away from polling places for repairs while the election was under way.

Nine machines were taken out of their polling places, repaired and returned, said Judy Flaig, Fairfax County election manager. "No votes were lost," she said.

Eddie Page, chair of the county Republican group, said the challenge wasn't about the technology. "Voting machines were removed from the ballot house," he said. "It has nothing to do with the hardware at this point." Advanced Voting Solutions Inc. of Frisco, Texas, made the machines.

However, critics of the electronic systems say that voters using them have no way to verify that their votes are being recorded and counted accurately.

In addition, some computer scientists believe that at least one company's software contains security flaws that could allow vote tampering, based on research led by Aviel Rubin, an associate professor of computer science and technical director of the Johns Hopkins University Information Security Institute in Baltimore.

Officials at the company, Diebold Inc. subsidiary Diebold Election Systems, dispute those claims and say the scientists used an early version of the code and made faulty assumptions about election procedures. Diebold officials, however, did not respond to repeated requests for interviews.

The legislation, called the Voter Confidence and Increased Accessibility Act of 2003, introduced by Rep. Rush Holt (D-N.J.) in May, would require that the machines, generically called direct recording electronic (DRE) machines, print out a paper record of each vote so the voter can make sure it is correct. The printed ballot would be stored at the polling place and used if a manual recount or an audit of the results is needed.

Although the bill has attracted 61 cosponsors — all Democrats — it is still in the House Administration Committee. The bill has yet to attract any Republican support, according to Holt's staff.

"HAVA is fueling a rush by some states to buy computerized voting machines that have serious defects," Holt said in a statement. "Unless Congress acts to pass legislation that would ensure that all computerized voting machines have a paper record that voters can verify when they cast their ballots, voters and election officials will have no way of knowing if the machines are counting votes properly."

Paper records introduce their own problems, Flaig said. "The problem we have is who verifies the voter?" she said. Voters who wanted to create chaos could falsely claim the paper record did not accurately reflect their votes. "And we couldn't prove it at all," she said. "At some point, you've got to trust the system."

Holt introduced his bill as concern over so-called black box voting was building. In July, the Johns Hopkins team fanned the flames with the results of their analysis of Diebold AccuVote-TS code, obtained from an unofficial Web site. Maryland officials, who were close to finalizing a $55 million purchase of machines to use statewide, asked Science Applications International Corp. to perform a second analysis.

SAIC officials confirmed that the Hopkins researchers had analyzed the code properly, but said that many of the risks could be avoided or minimized by not connecting the machines to a network and by implementing security protocols and processes for election officials and poll workers.

SAIC's report, dated Sept. 2, echoed Diebold's criticism. "While many of the statements made by Mr. Rubin were technically correct, it is clear that Mr. Rubin did not have a complete understanding of the state of Maryland's implementation of the system and the election process controls or environment, [which] reduce or eliminate many of the vulnerabilities identified in the Rubin report," the SAIC report states.

Ultimately, Maryland officials completed the purchase, accepting 12 of SAIC's 17 recommendations. Diebold officials agreed to make three software changes to increase security but only for machines sold in Maryland.

The recommendations included steps to make the machines more secure and to raise the awareness of election officials. State officials agreed, among other things, to bring the system into compliance with the state's Information Security Policy, to implement a formal and documented system security plan, to change default passwords printed in Diebold's documentation and to review any changes to the system through a formal risk assessment process.

The Hopkins team suggested that unscrupulous voters or poll workers could forge the smart cards that citizens use to cast their votes, thereby allowing multiple votes. The team also reported that if election results were transmitted via the Internet from polling places to a central office, they could be intercepted and altered en route.

In addition, someone within Diebold could add malicious code to the system that would open a door for exploitation on election day, they said.

Diebold officials, in a written rebuttal to the report, disputed all of those assertions.

"There are some [issues] that could be solved relatively easily, some that would take a lot of effort and some that we don't think are solvable," Rubin said. "A lot of things that they need to fix, they don't have the talent for."

Unlike the Hopkins team, the SAIC researchers examined the machines themselves, said Benjamin Haddad, SAIC's senior vice president. "It was an analysis of the Maryland systems. They have the Johns Hopkins report available to them, but the analysis was of the machines," he said.

Although the SAIC researchers agreed that many of the fears the Hopkins team raised were unlikely to threaten a real election's integrity, they did not give the system a pass and emphasized the need for meticulous security safeguards.

"The system, as implemented in policy, procedure and technology, is at high risk of compromise," the report said.

The debate is a healthy one for the electronic voting industry, said Aldo Tesi, president and chief executive officer of Election Systems & Software Inc., a Diebold competitor in Omaha, Neb. However, he said, election procedures and the realities of the polling place do contribute to the integrity of the process.

"What we've had to do is educate those who are not so close to our products about the features that are already in there, and the procedures that must surround those features," said Ken Carbullido, ES&S' vice president of software engineering. "There is so much in there that the public doesn't know behind the scenes that makes it much more secure than people realize."

Many critics of DRE machines argue that until the security of the systems can be established beyond doubt, paper records should be mandatory. "It ought not be up to people like the Johns Hopkins guys to prove the equipment is insecure," said David Dill, professor of computer science at Stanford University. "The vendors should be made to prove they are secure."

Dan Wallach, assistant professor of computer science at Rice University and one of Rubin's team members, said poll workers and local election officials should not be required to prove the system is working because they are not technology experts

In Maryland, for example, Diebold officials agreed to change the system to encrypt the electronic transmission of election results and provide personal identification numbers for election officials so the system can log the identities of those accessing it.

The state also will establish a formal process for the review of audit trails and provide information security awareness and training for people who have access to the systems.

"The state of Maryland is requiring very, very small changes to Diebold's source code and putting all the onus on poll workers, which is very, very difficult and is not good enough," Wallach said.

Kim Zetter, a reporter for Wired News who has been following the issue, tested the notion that trained poll workers are the real defense against fraud during the October recall election in California. Observing a training session in Alameda County, she found apparent lapses in procedures, she said.

"The registrar of voters of Alameda County assured me that despite what was raised in that report, Alameda County was safe because they had procedures in place that would prevent" any problems, Zetter said.

"I was a bit amazed at not only the lack of security, but also their cavalier attitude about the lack of security," she said. "It didn't seem to register with them the things I raised to them. They didn't ask for my ID. They never asked anyone for ID."

Poll workers get keys to the machines and the buildings they are stored in several days before the election, Zetter said. The same key will open all the machines in the voting precinct — and possibly the whole county — giving any one person access to multiple machines, she said.

"No one seems to be addressing security issues because they don't expect anybody to do anything," Zetter said.

Some DRE critics point to optical scan devices as a better computer technology, because the voter fills out a paper ballot that the scanner then reads. Such systems combine the benefits of rapid and accurate vote tallying with the security of a paper audit trail to check in case of a dispute, they say.

Tesi said ES&S would be willing to add a paper record capability to its touch-screen machines if buyers want it.

Skepticism about the machines hurts the election process, Flaig said. "It's gotten to the point now, after Florida, where everybody who loses a race wants to go to the courts and find a way to change it," she said. "Nobody loses anymore because they didn't get as many votes. It's always because somebody tampered with something. Maybe the other candidate had a better message."

"I think we need an election system that doesn't depend on the technology," Dill said. "You can't make an ordinary computer secure enough to deal with voting without a backup system. Voting is a hard problem. People want to steal elections. Elections are a matter of national security. I don't think it's really doable right now."

***

Covering the bases

Maryland leaders decided to implement 12 measures that Science Applications International Corp. officials recommended to minimize the risk of electronic voting data being compromised.

Here is a sampling of what they agreed to:

* Bring Diebold Inc.'s AccuVote-TS voting system into compliance with Maryland's information security policy and standards.

* Consider creating a chief information systems security officer position at the Board of Elections.

* Implement a formal, documented, complete, and integrated set of standard policies and procedures.

* Apply cryptographic protocols to protect the transmission of vote tallies.

* Require 100 percent verification of unofficial election results.

* Establish a formal process requiring the review of audit trails.

* Provide formal information security awareness, training and education appropriate to each user's level of access.