Much of the American electoral process is and has been based on trust. But how trustworthy is the new voting technology that most jurisdictions recently implemented?
Computer security professionals have long been concerned about known flaws in electronic voting systems and in September, three computer scientists at Princeton University’s Center for Information Technology Policy released a study of Diebold AccuVote-TS machines that casts serious doubt on the security, accuracy and reliability of Diebold Direct Recording Electronic (DRE), or touch-screen, voting systems.
A newer version of the Diebold machine, the AccuVote-TSx “” equipped with a printer to verify voters’ ballots and improved security features, according to the manufacturer “” is in use in San Diego County.
The Princeton study, conducted by Professor Edward W. Felten and graduate students Ariel J. Feldman and J. Alex Halderman, points out key weaknesses, including the machine’s susceptibility to vote-stealing viruses with little if any risk of detection. Such a virus can be transferred to other machines through a memory card used to upgrade software. Tests also discovered that that a person can corrupt an AccuVote TS machine in as little as one minute; the Princeton team has since posted a video demonstration of the machine’s fallibility online.
An earlier study by Harri Hursti, released in May 2006 by Black Box Voting, reached similar conclusions about security flaws in the Diebold AccuVote-TSx system in use in San Diego.
Diebold does not sanction independent security evaluations of its machines.
San Diego County purchased the AccuVote-TSx system from Diebold in 2004 for more than $30 million. A printer module with software was later added to meet state requirements for a voter-verifiable paper trail.
Despite the studies and a recent story about possible theft of Diebold voting software in Maryland, Mikel Haas, who leads the San Diego County Registrar of Voters, insists that San Diego’s touch-screen voting machines are safe and not vulnerable to tampering.
“We use encryption and our own password is encrypted. We change the password with every election. The machines have a tamper-evident seal. The parts are sealed. The memory card is sealed. If a seal is broken or in any manner tampered with, that is checked on the morning of the election,” Haas said.
The machines are also kept in the custody of trustworthy poll workers, many of whom have overseen elections for many years, he said. The machines are sent home with senior election officials as much as a week or more in advance of the election as part of normal election preparations.
“We know who our poll workers are,” he said, refuting criticism of the advance distribution of machines and potential mischief because of the “sleepover” policy.
“If [the machines] are as vulnerable as they say they are, they can’t be used in California. They have to be tested,” Haas said.
Secretary of State Bruce McPherson certified the Diebold AccuVote TSx system for use in California, following testing and addition of a required vote printer.
But the San Diego computer security community is extremely concerned about security lapses and the overall shoddy design of the Diebold system, according to Chris Adams, a Salk Institute systems administrator and programmer who evaluates systems security regularly for his organization.
“The security community has been trying to get the vendors to change the system. As a programmer, I would be embarrassed to deliver such a badly designed product. As a systems administrator, I would not want to be responsible for running a reliable service using these systems,” Adams said.
Adams found the Princeton report credible and discounted the registrar’s insistence that encrypting data and passwords will take care of potential security problems. It’s relatively easy to tamper with poor quality voting machines and manipulate their vote recording and tabulation software to steal votes, he said.
“There could be software added that can record (cast) votes differently. The records on the machine could be fine, but they could be changed at the time of tabulation,” Adams explained.
“The problem with the tests is that you don’t know what’s been tested. It’s very easy to write software that would do something only on certain dates or trigger only if a candidate is losing by a certain percentage,” he continued. “It’s an on-going problem with computing in general. The only way you’re ever going to know a machine’s been subverted is if they screw up.”
Encryption, Adams explained, is not going to protect against tampering from a criminal with access to the machines intent on installing malicious software. “It’s only a speed bump.”
Even a paper trail, although an improvement, isn’t foolproof, he said, since it could appear to print the votes correctly but actually record them differently.
“It’s very difficult to get security right because it depends on a number of subtle things,” he said.
Adams stressed that this issue should not be viewed in a partisan light but from the perspective of basic governmental integrity. He said he believes a better, more reliable computer-based system with stronger safeguards can be built, but it should be simpler than the current “overcomplicated system.” It’s also a question of cost.
“The more complex the system, the harder it is to make it secure,” Adams said.
Haas said that a limited number of paper ballots, primarily for provisional and emergency purposes, will be available to voters on request at the polls on Election Day, Tuesday, Nov. 7. Alternatively, voters concerned about the machines can vote by absentee ballot, a growing preference among California voters. Haas estimated that about half of all eligible voters will vote absentee this election.
Paper absentee ballots are counted by Diebold optical scanner machines. Computer security professionals say these vote tabulators are also vulnerable to manipulation to distort actual vote counts.
To see the video of the Princeton team’s vote-stealing trial and to read their report, visit http://itpolicy.princeton.edu/voting/. For more on the Black Box Voting study, visit http://www.blackboxvoting.org/BBVtsxstudy.pdf.