In the days after the Nov. 2 presidential election, we were treated to headlines such as “E-voting passed the test” on Techweb.com and “Success claimed for US e-voting machines” on newscientist.com. It is hard to find a single piece of official material that details exactly what test e-voting passed. Since there were no catastrophic failures or meltdowns, many people assume, naively, that e-voting works.
Calling e-voting a success is akin to a pharmaceutical company claiming a drug is safe in advance of FDA approval. Even after testing and approval, complex drugs such as Vioxx have effects that are often not seen for a long while. Its undeniable that e-voting “operated,” but it is premature to call it a “success” for the following reasons:
Standards: How do we know whether e-voting is a success or failure? The Election Assistance Commission is creating a comprehensive set of standards. Kay Stimson, communications director of the EAC, notes, “There are voting systems standards, but at this point, they are all voluntary.”
Liability: Its unclear who is responsible for failures. The EAC does not require any type of service-level agreement from e-voting vendors. Even if something did go wrong, government officials have no liability. Attorney Ron Coleman, a partner in the Coleman Law Firm, which practices business and Internet litigation, notes, “The principle of sovereign immunity prevents the government, and especially government officials personally, from being held liable for damages except in specifically enumerated circumstances permitted by law.”
Security: Security is the Achilles heel of e-voting. The EAC is diligently working on security. “Security of e-voting systems is a top priority at the EAC,” said Stimson. The standards are expected to be finalized in mid-2005. Think about it: The Kit Kat bar in a vending machine has more security requirements around it than does todays electronic vote.
There have been many documented cases of where e-voting security has seriously failed. Yet the press focuses on the systems that supposedly work, not the ones that have been shown to be defective. It is ironic that in the post-9/11 era of a supposed increase in security, e-voting is being deployed without adequate security testing.
Testing: Thanks to the FAA, the aviation industry understands what it means to test a new jet. Before a new commercial airliner is permitted to fly, thousands of tests must be performed. In contrast, the level of testing for e-voting is inconsequential.
E-voting is still in its infancy, but the press and e-voting vendors are treating it as if it were an adult. E-voting may be an idea whose time has arrived, but its technologies still need time to mature. ´
Ben Rothke, CISSP, is a New York-based security consultant with ThruPoint Inc. and the author of “Computer Security: 20 Things Every Employee Should Know.” He can be reached at [email protected]. Free Spectrum is a forum for the IT community and welcomes contributions. Send submissions to [email protected].
Check out eWEEK.coms for the latest news, views and analysis of technologys impact on government and politics.