[Engineering Feature]
The Ballot Is Open On Electronic Voting
E-voting will play a key role in the upcoming U.S. national election, despite ongoing charges that electronic voting machines are rife with security flaws and may be susceptible to EMI.
Hanging digits? The digital equivalent to hanging chads is a distinct, and to many, a very disturbing possibility. Recent tests of several electronic voting machines suggest the danger of your vote not being counted in November's national election, or that it could be counted more than once.
Four years after a bitter legal and political battle was fought over the vote count in Florida, the issue is now focused on the reliability and security of electronic voting (e-voting) systems. Can they accurately and securely count and record the millions of votes that will be cast next month?
Differences of opinion are as sharp as the country is divided in support of the candidates. But with nearly twice as many voters expected to use direct-recording electronic (DRE) voting machines this year versus 2000, and with no national technical standard or certification requirement for DREs, this will be a major and very public test of technology. Is the technology up to the task?
Several analysts don't think so.
Aviel D. Rubin, a professor of computer science and technical director of the Information Security Institute at Johns Hopkins University, and a member of the National Committee on Voting Integrity, testified before the U.S. Election Assistance Commission that he was "outraged" by the lack of security of DREs. "While today's DREs increase accessibility," he told the commission, "they do not provide adequate security."
Several studies of e-voting hardware and software suggest the entire election process may be at risk in terms of producing inaccurate counts of votes cast. One of the most comprehensive studies, conducted by Compuware Corp., was initiated by the state of Ohio. Compuware identified 57 potential security risks within the software and hardware tested.
The risks were sorted into high, medium, and low categories. Diebold Election Systems had five high-potential risk areas, two medium, and eight low-potential risk areas. Other vendors, including Election Systems & Software (ES&S), Hart InterCivic, and Sequoia Election Systems, also had a variety of risk areas, according to Compuware's analysis.
Another study presented in May at the IEEE Symposium on Security and Privacy, co-authored by Rubin and three other Johns Hopkins University computer science professors, concluded that "this voting system is far below even the most minimal security standards applicable in other contexts." The study identified several vulnerabilities and poor software development processes. It also suggested that without any insider information to guide them, voters could cast unlimited votes without being detected by any mechanisms within the voting terminal software.
The debate over e-voting began to warm up with the passage of the Help America Vote Act in 2002. HAVA provides federal money to states to improve the administration of their elections and to replace punch-card voting equipment with new, advanced voting equipment, such as DREs. One key element of this legislation allows voters to fill out provisional ballots if their eligibility is in question. The process is designed to avoid Florida's experience in 2000 when voters were turned away from the polls because their voter registration was questioned and could not be readily resolved. It's a crucial piece of legislation, particularly if the November election is close.
VOTE AND VOTE AGAIN One of the most glaring security weaknesses in these machines, according to a number of analyses conducted last year, is a reprogrammable smart card that can be modified, allowing voters to cast multiple ballots without detection. The cards are supposed to be cancelled automatically after voters cast their ballots, but the system was easily circumvented with relatively cheap card programmers.
Diebold Election Systems has received most of the criticism among e-voting machine vendors. In August 2003, the state of Maryland hired a third-party consulting firm, SAIC, which spends much of its time working on technology projects for the Defense Advanced Research Projects Agency and U.S. intelligence agencies, to analyze Diebold's AccuVote-TS system. In September 2003, Maryland made the report public. SAIC said that the system "as implemented in policy, procedure, and technology, is at high risk of compromise."
Despite the problems identified in the IEEE symposium presentation and by SAIC, Maryland plans to purchase the Diebold system, though the state has asked Diebold to make several technical changes in its voting machines. (Maryland's State Board of Elections admits that selecting Diebold is a compromise, but it says that "an alternative system could not be implemented in time to conduct the March 2004 presidential primary election and could jeopardize the November 2004 presidential general election.") The SAIC report suggests that by compromising on security, "the integrity and privacy of these elections may still be in jeopardy."
Another study by the consulting firm RABA Technologies, which last year won a $100 million contract from the National Security Agency for signal intelligence work, further validated the IEEE security symposium's presentation of the Diebold machines.
In September, California Attorney General Bill Lockyer announced plans to sue Diebold on charges it defrauded the state with false claims about its products. Lockyer earlier dropped a criminal investigation of Diebold. However, California's Secretary of State Kevin Shelley said Diebold deceived the state with aggressive marketing that led to the installation of its voting systems, which weren't tested or approved nationally or in California. Diebold has since said it will provide a number of security enhancements in its system and, in August, named a compliance officer to oversee the company's federal qualification and state compliance activities.
Reprints
