E-voting flaws risk ballot fraud
By Alan Boyle
Some versions of electronic voting software could allow for ballot fraud on a massive scale, computer security researchers reported Thursday. The researchers made their claim based on an analysis of computer code that was purportedly taken from one of the country's top suppliers of voting equipment. But the supplier, Ohio-based Diebold Election Systems, said it believed the software was "outdated and never was used in an actual election."
THE SOURCE CODE was analyzed over the past couple of weeks by researchers at Johns Hopkins University and Rice University, and their findings were posted Wednesday on the Web as an Adobe Acrobat file.
The researchers said they couldn't verify independently whether the code was currently being used in Diebold machines, and Diebold issued a statement saying "we believe that the software code they evaluated, while sharing similarities to the current code, is outdated and never was used in an actual election."
Diebold is a major supplier of electronic voting equipment in the United States, with more than 50,000 of its voting stations installed in Georgia, California, Kansas and other states.
Douglas Jones, a University of Iowa computer science professor who serves on Iowa's board of examiners for electronic voting systems, said he recognized one of the encryption flaws cited by the researchers' report as one he called attention to during a board meeting at least five years ago.
"I can say with great confidence that several Diebold representatives were at the meeting, and one of their people who was described to me as being one of their main programmers," he told MSNBC.com. "The fact that that flaw is still there, half a decade later, is as far as I'm concerned grounds for decertifying their machine."
Some critics of e-voting contend that the software flaws could affect optical-scan voting machines as well. Jones said he would not call for decertification of those machines, however, because Iowa election law requires on-paper confirmation of optical-scan results at the precinct level.
He also noted that with optical-scan systems, there was a paper trail that could be retraced in case there were any questions. Indeed, the bottom line for Jones as well as Rubin and other e-voting skeptics is that any voting system should have a voter-verifiable paper audit.
"With the direct-reporting electronic system, where all these questions about security actually touch on the authenticity of anything the machine retains, we have nothing to fall back on," Jones said.
Such a "paper trail" requirement has been proposed in a House bill introduced by U.S. Rep. Rush Holt, D-N.J.
Jones, who said he was involved in the drafting of the bill, quoted a phrase oft used by e-voting skeptics: "If you have a voter-verifiable audit trail, even the devil himself could design the software, and you'd still be able to conduct an honest election."