Voting under a cloud of suspicion

Decertification of touch-screen voting machines in California challenges public confidence in e-voting

A recent decision by California’s top election official to decertify electronic voting machines in 39 counties because of widespread security problems is the latest flash point in the campaign to implement e-voting nationwide. Continuing disclosures of vulnerabilities in e-voting technology are an embarrassment to voting machine vendors and have made many voters mistrustful of e-voting, political experts say.

Matt Blaze, University of Pennsylvania

California Secretary of State Debra Bowen ordered Aug. 3 that hundreds of voting machines be decertified after security tests found pervasive vulnerabilities at nearly every level of the
e-voting system. Machines manufactured by Diebold, Sequoia Voting Systems, and Elections Systems and Software (ES&S) were decertified after researchers found what research team leader Matt Blaze said were “significant, deeply rooted security weaknesses in all three vendors’ software.”

Blaze, associate professor of computer science at the University of Pennsylvania and an expert in cryptography, said rather than finding holes designed to exploit voting records, researchers found “garden-variety design and implementation blunders that plague any system not built with security as a central requirement.”

Bowen has been criticized for rushing the testing to comply with a finish date of July 20 and a final certification approval date of Aug. 3.

Michelle Shafer, vice-president of communications and external affairs at Sequoia Voting Systems, said the testing process did not involve a realistic scenario of how electronic voting machines could be hacked or misused. None of the tests were conducted in a realistic voting environment, Shafer said. “The research team was just given unfettered access to the materials and source code, without any process or procedure as to what might actually happen.”

However, in the tests, researchers discovered troubling problems and security holes. “The fact that major security vulnerabilities were found in all machines is a testament to how poorly they were designed, not to the thoroughness of the analysis,” wrote security researcher Bruce Schneier.

Bowen conditionally recertified the machines as safe to use provided the manufacturers adhere to a lengthy list of security requirements, including sharing the source code with state election officials and providing manual-audit counts of all votes cast using the machines.
Another research team in Florida published results of a series of certification tests of Diebold voting machines requested by the Florida Department of State. The Florida team found that, although Diebold had attempted to fix previously reported flaws in its optical-scan and touch-screen software applications, many flaws remained unaddressed.

For example, the team found that an outsider could convert designated-voter cards into smart cards that could register multiple votes in a single session, enabling an attacker to stuff the electronic ballot box. The team also found that optical-scan machines could have their memory cards swapped out for new ones that would change votes cast on that particular machine, according to a report published by the investigative team of university computer science professors.

Bowen’s office conducted a deeper investigation of ES&S’ business practices in California and found the company may have sold as many as 1,000 uncertified and untested voting machines to five California counties. The state is investigating the possibility that ES&S might have added certification stickers to machines that had not yet been tested. The company could face fines of as much as $10,000 per uncertified unit and be barred from doing business in California for as long as three years if found guilty.

Why do e-voting technology vendors continue to provide machines that are deeply flawed? Vendors are not required to build secure products, and therefore they don’t approach building new voting technologies with security in mind, said Rebecca Mercuri.

Mercuri, founder of the Notable Software computer security firm, proponent of the voter-verified paper audit trail (VVPAT) concept and an expert on voting technology, said it is pointless to continually recertify or resubmit machines and technology that have repeatedly proven untrustworthy.

Mercuri said the Election Assistance Commission should completely decertify all existing electronic voting technology and work on improving paper-based voting technology and standards until a new electronic voting system can be designed and implemented. “Adding VVPATs to existing insecure products won’t solve the problem,” she said. “We need to get rid of all the existing products and start from scratch with new designs.”

Rep. Rush Holt (D-N.J.) has proposed new legislation that would mandate the use of electronic voting machines that produce a voter-verified paper ballot, beginning with the 2008 presidential election. The Voter Confidence and Increased Accessibility Act would make paper ballots the primary record for vote recounts and audits.

It would ban Internet and wireless connections in voting machines and prohibit the use of uncertified and untested voting software.
Holt praised the California official’s decision to conditionally decertify the audited voting machines, saying that findings of systemic problems bolstered the need for his bill. “We can’t go into another federal election with machines that do no allow voters to verify their votes and have people in 20 states saying they do not believe the results,” Holt told Steven Rosenfeld, a senior fellow at AlterNet.org, an alternative online news magazine.

A coalition of organizations representing disabled Americans opposes Holt’s bill. They say it will undermine disability standards set by the Help America Vote Act of 2002. Jim Dickson, director of the Disability Vote Project at the American Association of People with Disabilities, said “Luddites who want all-paper balloting don’t know the realities of election administration.”

Dickson advocates electronic voting as a way to increase voter turnout and ensure that votes from disabled, military and overseas voters are counted. “Low voter turnout is a much bigger problem for elections than problems with voting machines,” he said. “Internet and electronic voting have already been used in the corporate world and successfully in other countries. It’s more convenient and will increase voter turnout.”

Dickson, who is blind, said that if Holt’s bill were enacted, “reel-to-reel paper would become the ballot of record.” Votes cast with direct-recording electronic voting machines would not be counted, leading to greater disenfranchisement of voters, he said.

Despite sharing Dickson’s concerns, Mercuri said many of the machines designed to aid disabled users don’t fulfill that function. Some touch-screen machines instruct voters to ‘press the yellow button.’ “How is a blind person supposed to use that?” she asked. Mercuri said some voters in New Jersey waited as long as 40 minutes to vote while election officials helped disabled voters figure out how to use the machines made for them. “Many of these machines are too cumbersome for the disabled to use, and not every machine can be built to handle every disability.”

Mercuri, who supported earlier versions of Holt’s bill, said she opposes the present bill because of what she sees as interference from industry. “When you have private interests like Microsoft inserting clauses into the bill saying that you can’t reveal trade
secrets in your examination [of the software code], how is that openness?”

When it comes to the central issue of security versus usability, each side in the e-voting battle believes the other should be willing to give ground. Proponents of e-voting technology believe that some security weaknesses are a necessary trade-off to ensure voting machines can be accessible and convenient for voters to use.
“I could have built a system tough enough to withstand a nuclear weapon, but voters and auditors wouldn’t be able to use it,” Shafer said.

Mercuri said opponents of paper balloting and auditing are convinced that the technology has not advanced since the 1880s. “We can do amazing things with paper today,” such as using watermarks or fluorescent fibers embedded in ballot paper to prevent tampering or counterfeiting, she said. “Paper has more security controls and more capability now than ever before.”

In addition to the controversy about touch-screen machines, security audits and competing interest groups, a more fundamental question needs attention, some voting-rights advocates say. Will any advance in technology effectively succeed in raising the dismal voter turnout levels in the United States, or will voters continue to feel disenfranchised and unmotivated to participate in the democratic process?

<>

That question troubles David Moon, program director of FairVote, a voter rights advocacy group. “Alterations to voting equipment fundamentally alter the structure of democracy,” he said. “There’s a disincentive to participate if you don’t believe the process is being conducted fairly.”

Moon said the problem is deeper than flawed equipment and rests in the decision to outsource the administration of elections and election systems to private companies. “There’s a profit motive involved in everything they do,” Moon said. “There’s no accountability or reliability when you have companies charging states to perform security reviews and handling every aspect of the election process.”

There also is no magic bullet that will solve the complex issue of accessible, secure voting and address the needs of every user group, Moon said. “We need multiple types of equipment and multiple solutions for each voting system. We really need, most of all, transparency and a return to public ownership of the voting process.”

Bosworth is a technology writer who lives in Washington.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above