Much of the American electoral process has always been based on trust. But how trustworthy is the new voting technology most jurisdictions have recently implemented?
Computer security professionals have long been concerned about known flaws in electronic voting systems.
In September, three computer scientists at Princeton University’s Center for Information Technology Policy released a study of Diebold AccuVote-TS machines that casts serious doubts on the security, accuracy and reliability of Diebold Direct Recording Electronic (DRE), or touch-screen, voting systems. A newer version of the Diebold machine, the AccuVote-TSx, equipped with a printer to verify voters’ ballots and, the manufacturer claims, improved security features, is in use in San Diego County.
The Princeton study, conducted by Prof. Edward W. Felten, head of the new Princeton center and graduate students Ariel J. Feldman and J. Alex Halderman, points out key weaknesses. They demonstrate how the Diebold AccuVote-TS ” and similar DREs ” can be infected with a malicious vote-stealing virus “with little if any risk of detection,” and then transferred to other machines through a memory card used to upgrade software.
Based upon their tests of an AccuVote TS machine, they concluded a machine could be corrupted with as little as one minute’s access to it. They posted a video on the Internet (see link below) demonstrating operation of their malicious, election-stealing software.
In a subsequent posting on his Web site, Freedom-to-Tinker.com, Felten reported that the access panel door on the Diebold machine he tested was secured only by a standard lock and key widely used on office furniture, jukeboxes and hotel minibars. This is “the door that protects the memory card that stores the votes and is the main barrier to the injection of a virus,” he wrote.
An earlier study by Harri Hursti, released in May 2006 by Black Box Voting, reached similar conclusions about security flaws in the Diebold AccuVote-TSx system in use in San Diego.
Diebold does not sanction independent security evaluations of its machines.
San Diego County purchased the AccuVote-TSx system from Diebold in 2004 for more than $30 million. A printer module with software was later added to meet state requirements for a voter-verifiable paper trail.
Despite the studies and a recent story about possible theft of Diebold voting software in Maryland, San Diego County Registrar of Voters Mikel Haas insists that San Diego’s touch-screen voting machines are safe and not vulnerable to tampering.
“We use encryption and our own password is encrypted,” Haas explained. “We change the password with every election. The machines have a tamper-evident seal. The parts are sealed. The memory card is sealed. If a seal is broken or in any manner tampered with, that is checked on the morning of the election.”
The machines are also kept in the custody of trustworthy poll workers, many of whom have overseen elections for many years, he said. The machines are sent home with senior election officials as much as a week or more in advance of the election as part of normal election preparations.
“We know who our poll workers are,” he said, refuting criticism of the advance distribution of machines and potential mischief because of the “sleepover” policy. “If (the machines) are as vulnerable as they say they are, they can’t be used in California. They have to be tested.”
Additionally, Haas said the paper tally overrules the electronic count if there is a dispute or recount.
California Secretary of State Bruce McPherson certified the Diebold AccuVote TSx system for use in California following testing and addition of a required vote printer.
Yet is that testing adequate? Would testing reveal critical security flaws?
The San Diego computer security community is extremely concerned about security lapses and the overall shoddy design of the Diebold system, reports Chris Adams, a systems administrator and programmer at the Salk Institute who evaluates systems security regularly for his organization.
“The security community has been trying to get the vendors to change the system,” Adams said. “As a programmer, I would be embarrassed to deliver such a badly designed product. As a systems administrator, I would not want to be responsible for running a reliable service using these systems.”
Adams finds the Princeton report credible, and discounts the registrar’s insistence that encrypting data and passwords will take care of potential security problems. It’s relatively easy to tamper with poor-quality voting machines and manipulate their vote recording and tabulation software to steal votes, he said.
“There could be software added that can record (cast) votes differently. The records on the machine could be fine, but they could be changed at the time of tabulation,” he explained.
“The problem with the tests is that you don’t know what’s been tested. It’s very easy to write software that would do something only on certain dates or trigger only if a candidate is losing by a certain percentage,” he added. “It’s an ongoing problem with computing in general. The only way you’re ever going to know a machine’s been subverted is if they screw up.”
Encryption, he explained, is not going to protect against tampering from a criminal with access to the machines intent on installing malicious software.
“It’s only a speed bump,” Adams observed.
Even a paper trail, although an improvement, isn’t foolproof, he said, since it could appear to print the votes correctly but actually record them differently.
“It’s very difficult to get security right because it depends on a number of subtle things,” he said.
Adams stressed that this issue should not be viewed in a partisan light, but from the perspective of basic governmental integrity. He believes a better, more reliable computer-based system with stronger safeguards can be built, but it should be simpler than the current “overcomplicated system.” It’s also a question of cost.
“The more complex the system, the harder it is to make it secure,” he stated.
Registrar of Voters Haas said that a limited number of paper ballots, primarily for provisional and emergency purposes, will be available to voters on request at the polls on Election Day, Nov. 7.
Alternatively, voters concerned about the machines can vote by absentee ballot, a growing preference among California voters. Haas estimates that about half of all eligible voters will vote absentee this election.
Paper absentee ballots are counted by Diebold optical scanner machines. Computer security professionals say these vote tabulators are also vulnerable to manipulation to distort actual vote counts.
To see the video of the Princeton team’s vote-stealing trial and to read their report, visit http://itpolicy.princeton.edu/voting/; for the Black Box Voting study, visit http://www.blackboxvoting.org/BBVtsxstudy.pdf.