Another body blow was struck to the already lousy reputation of U.S. e-voting when the office of California Secretary of State Debra Bowen on July 30 published investigation results showing that three major e-voting systems are liable to having their accuracy, security and/or integrity compromised.
Three systems flunked in the hastily conducted examinations: Diebolds GEMS 1.18.24/AccuVote, Hart Intercivic System 6.2.1 and Sequoias WinEDS version 3.1.012/Edge/Insight/400-C. Each machine is either an optical scan system or a DRE that uses Voter Verified Paper Audit Trail
Each system stores votes in its own way. If they can be compromised, the votes that the systems record may not be accurate. For example, if an attacker were to successfully execute arbitrary programs on one of the systems, the systems could be caused to misrecord votes even with the presence of a paper audit trail.
The full report is here.
The news is just the latest in a string of bad press earned by e-voting in the United States of America, where a mishmash of disparate systems is subject to exploit due to wireless communications capabilities and/or inherent flaws in commercial off-the-shelf software thats exempt from testing.
Members of the Technical Guidance Development Commission of the Election Assistance Commission, which grew out of President George W. Bushs Help America Vote Act of 2002, have said that they were aware of significant flaws in voting machines that could allow attackers to change election outcomes on the national or local level even while the TGDC drafted federal guidelines for the design and testing of those machines.
But as the 2008 election looms, the burning question is: Can we get it right?
Other countries have, after all, figured this stuff out.
Brazils been e-voting since 1996 (albeit with fraud still having crept in). The star of the international e-voting scene is arguably Australia, which is e-voting on machines that are based on Linux, using specs set by independent election officials that were posted on the Internet for one and all to vet—an open-source approach for which U.S. activists clamor.
“From what I have read, the U.S. systems are primitive compared [with those of] Australia,” said Tom Worthington, a visiting fellow at the department of computer science at Australian National University, in Canberra, Australia, and an expert on e-voting technology, in an e-mail exchange with eWEEK.
Its worthwhile to pause and clarify what we mean when we use the term “e-voting.” Electronic voting systems have actually been in use since the 1960s, with the advent of punch-card systems. The term “e-voting” nowadays refers to one of a medley of newer technologies. One e-voting system used on a large scale in India, the Netherlands, Venezuela and the United States is a newer optical scan system that reads a voters ballot mark and then collects and tabulates votes on a single machine.
Then theres Internet voting, which has been used in the United Kingdom, Estonia, Switzerland, Canada, the United States and France.
Then too there are hybrid systems, such as those that flunked the California review. They include an electronic ballot-marking device thats often a touch-screen system similar to a DRE voting system or other technology that prints a voter-verifiable paper ballot, paired with a separate machine to tabulate votes.
Security experts such as Bruce Schneier, writing in a 2006 report for the Brennan Center Task Force on Voting System Security titled “The Machinery of Democracy: Protecting Elections in an Electronic World,” have said that the many types of attacks possible against newfangled e-voting systems include wireless exploits that could take advantage of unplanned vulnerabilities in the system software or hardware to plant a Trojan horse onto a machine.
“For this type of attack, a Trojan horse would not have to be inserted in advance of Election Day,” according to the report. “Instead, an attacker aware of a vulnerability in the voting systems software or firmware could simply show up at the polling station and beam her Trojan horse into the machine using a wireless-enabled personal digital assistant.”
Note that there have been no documented security breaches of e-voting systems in this country. New electronic machines that caused long reporting delays were used in a Cleveland county during the states 2006 primary election; that election resulted in the entire board of elections of Cuyahoga County being removed, but the two felony convictions had to do with what prosecutors called a rigged recount as opposed to any of the machines having been tampered with. When experts warn of potential holes, the emphasis is on potential.
Next Page: Poorly Designed in the USA.
Poor Design Choices
But the potential holes are also curiously North American.
Unfortunately, Worthington notes, many people read about e-voting problems in the USA and assume that such problems apply to the rest of the world. Not so, he says. “Apart from the U.K., which made some poor choices in using Internet voting for local elections, the USA probably has the poorest designed electronic voting systems in the developed world,” he said.
Ouch. Whats wrong with us?
Its not that were incapable of designing systems that work securely. “The USA has some very good software engineers and if given a brief to develop an electronic voting system they could produce one as good as those elsewhere in the world,” Worthington said.
Many experts concur: The problem with e-voting in the USA is, in fact, not one of a technical nature; rather, it is a political and administrative issue.
Michelle Shafer, vice president of communications and external affairs for Sequoia Voting Systems, in Oakland, Calif., points out that each of the 50 states has its own election laws that must be followed. As well, voting equipment must meet specific requirements in each state—and thats on top of complying with federal voluntary voting system guidelines that have been adopted by most states. Thats “voluntary for the states,” not voluntary for the vendors who have to tailor their systems to each of their 50 clients.
“Elections in the United States are extremely complicated, especially compared to other countries, because we do have unique election law in each of our states,” Shafer said in an e-mail exchange with eWEEK. “This does present challenges to election technology providers because this is not a one-size-fits-all marketplace where one machine or version of software can be used in any state.”
An example of the contradictory requests that come from various jurisdictions concerns ballot rotation—the order in which candidates or propositions appear on a ballot. States requirements vary and are “completely different,” Shafer said. “This applies to paper ballots as well as electronic ballots (and this issue is much easier to address with an electronic system, as the software takes care of rotation).”
Sequoia, the countrys first maker of touch-screen voting machines, has been in business over 100 years—its corporate ancestor having been in the business of making lever voting machines. With that much institutional knowledge of U.S. elections and various state requirements, the company doesnt sweat varying state requirements.
Rather, where states rights come into play in the security profile of U.S. e-voting systems is with the inability of the federal government to requisition and mandate the use of one single system for use throughout the land.
Brazil, for one, is “way ahead of us in many ways,” according to voting expert Dr. Ted Selker, associate professor at the MIT Media and Arts Technology Laboratory and director of MITs Context Aware Computing Labs. One of the ways Brazil has shown the United States up is that the government cooked its own code and gave it to five manufacturers to bake into an e-voting system in the early 90s, after rampant fraud had led the electorate to lose confidence in the system.
It wasnt smooth sailing at first for Brazil, though, in spite of the fact that the country controlled its own e-voting technology. In 1998, Brazil started using Unisys technology that turned out to have a high failure rate, with some 7 percent of machines unable to deliver votes electronically.
But by 2000, the number of machines unable to return votes was down to .02 percent. Of the countrys electorate, 106 million were using the machines to vote, and the simple systems had enviable cost and ruggedness: At a cost of $300-$400 each, the systems worked for hours on a simple set of batteries. Not only that, but the systems, which displayed photos of candidates, were also highly accessible to Brazils population, many of whom are illiterate.
“[The systems] really changed [the level of] trust in government,” Selker said. “By making that many and making them uniform, they also have an incredible price.”
Next Page: Is it safe to disclose source code?
Source Code Disclosure
Would open-sourcing all code that goes into e-voting hardware and software help to avoid security holes? Sequoias Shafer argues that code is already reviewed, if not open-sourced. “Current voting systems undergo certification, inspection and review processes which provide authorized reviewers with access to software source code and reports on system performance, in a form of disclosed source,” she wrote in a report from the Election Technology Council as a response to amendments to the Help America Vote Act.
But whos testing the code testers? The largest tester of the countrys voting machines, a company called Ciber Inc., last summer was temporarily barred from approving new machines after feds found it wasnt following its own quality-control procedures and couldnt document whether it was actually conducting all required tests, according to a January 2007 article in The New York Times (requires free registration to view articles).
As the Times pointed out, if the reliability of Cibers tests have been called into question, that calls into question everything the company tested, including vote-counting software and security on many machines now in use.
“Whats scary is that weve been using systems in elections that Ciber had certified, and this calls into question those systems that they tested,” Aviel D. Rubin, a computer science professor at Johns Hopkins, was quoted as saying in the Times article.
Source code for e-voting systems is now “disclosed” in a number of ways. It is supplied to the Voting System testing Laboratories, which is accredited by the Election Assistance Commission (EAC) for use in testing and certifying voting systems. Many states also require manufacturer source code to be kept in escrow. Executable software also is required to be submitted to the National Institute of Standards and Technology (NIST) in order to produce hash codes, which can then be used to determine that a jurisdiction has the right version of certified software.
As far as open-sourcing the code goes, though, Shafer suggests that full, unfettered public access could actually result in providing a potential criminal with the tools to rig an election. “Recently, someone claimed to have created a key to a Diebold voting units compartment by simply printing a picture of the key from a Web site and subsequently created a key made from the design. Many of those who are adamantly calling for full disclosure, to any person, are the very same people who called the release of this key a security flaw,” Shafer said. “The key is just one layer of the defense provided on the devices, just as keeping the source code confidential is a layer of defense. … Providing the source code to the public removes that layer of security and could make it easier for someone to attempt to defraud an election.”
Another aspect to the open-source debate thats often overlooked, Shafer said, is that current legislative proposals to open-source e-voting code makes no distinction between e-voting system manufacturers and third-party software makers such as Microsoft, which markets the Windows CE program used as an operating system for some parts of some voting systems.
“These third-party packages are useful in designing robust products, as the manufacturers dont have to re-invent a wheel that has been tried and trued by other developers,” Shafer said. “Legally, manufacturers cannot provide source code for these third-party software programs or provide the names of the programmers involved in the creation of the third-party software.”
Meanwhile, DeForest Soaries, former chairman of the EAC, in June 2004 came out with a series of nonbinding suggestions for how to open-source e-voting code. First, he said, the EAC should ask that e-voting systems makers release source code to states under nondisclosure agreements. The code would then be made accessible to computer scientists in each state who would be asked to sign the NDA before reviewing the code.
After that, Soaries said, an existing National Software Reference Library run by the Department of Commerce should be used as a repository in which to store the source code. States could then check their machines firmware to ensure theyre running the version theyre supposed to be running. Soaries final suggestion is for states to undertake enhanced security measures, such as cryptography, come November.
Finally, problems with e-voting systems should be compiled and analyzed. At this point, theres no central federal database that lists all the problems known to exist in current e-voting systems.
Open-source e-voting code was easier in Australia. The country seems to be doing just fine with its Linux-based systems, which are called eVACS (Electronic Voting and Counting System) and made by a company called Software Improvements.
But thats Australia. At this point, its not looking like the 2008 U.S. elections will see a significantly improved e-voting scene in this country.
Editors Note: This story was updated to include a reference to The New York Times article. Also, DeForest Soaries status as former EAC chairman was corrected, as was the date of when he gave his recommendations to fix e-voting security.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.