Electronic-voting security scrutinized at symposium
Concerns raised as presidential election looms
December 11, 2003
By Elizabeth Heichler
IDG News Service
GAITHERSBURG, MD. With the 2004 U.S. presidential election looming, election officials from around the U.S. joined computer scientists, voting machine vendors and others on Wednesday and Thursday to air growing concerns -- and some intense disagreements -- about the security and reliability of electronic-voting systems.
Dire warnings of computer scientists who are security experts at times seemed as welcome as the proverbial skunk at a garden party during the symposium called "Building Trust and Confidence in Voting Systems," held at the U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Md.. Faced with limited budgets and resources, election officials and voting systems vendors repeatedly questioned the feasibility of developing and implementing security standards to the level recommended by the computer science community -- what one questioner in the audience called defense department appetites "on a Wal-Mart budget."
IT experts at the symposium questioned whether the current system of testing and accreditation of voting systems against voluntary standards is effective, given recent reports that scrutinized DRE (direct recording electronic) systems from leading vendors and found high-risk vulnerabilities in the machines. Those reviews include a joint Johns Hopkins University and Rice University review of source code from a Diebold Inc. system that was leaked onto the Internet this year; an analysis of the same system by Science Applications International Corp. on behalf of the state of Maryland; and a security review of four systems, including Diebold's, by Compuware Corp. for the state of Ohio.
Particularly worrisome to security experts is that using current DREs does not provide an independent record of votes cast in case there are serious concerns that a system has malfunctioned or its security has been breached.
While many of the systems have redundant components, so that votes are recorded in multiple places, that is only used to protect against "obvious things like power failures," according to Douglas Jones, an associate professor of computer science at the University of Iowa in Iowa City who has been a voting machine examiner for that state since 1994. In his conference presentation, Jones added that there is a window of opportunity, albeit of just a few milliseconds, when there is no independent data path, and he pointed out that it is possible to build a system where two redundant mechanisms independently record the voter's action.
Those who are concerned with the security of DREs are calling for audit trails with the systems that allow a voter to verify that a vote has been properly recorded by the machine. How to implement those audit trails is a subject of controversy: A vocal group is demanding voter-verifiable paper audit trails, and recently succeeded in convincing the California secretary of state to mandate that approach. But many election officials seem strongly opposed to introducing that requirement, arguing that adding printers to systems will increase not only costs but the likelihood of mechanical failures as printers break down, jam or run out of paper. Colorado Secretary of State Donnetta Davidson also warned attendees that in recounts when the paper doesn't match the machine tally there will be no way to know which total to trust and "we'll end up in court."
That gulf between the theoretical and practical is characteristic of the electronic-voting controversy, as computer scientists maintain that no software can be made provably secure and must therefore include audit trails, while election officials need to run elections that go smoothly and where there are no doubts about the outcome. No one wants a repeat of Florida in the 2000 election, the nightmare scenario that HAVA was intended to avert.
Some election officials even charge that the computer security specialists who have joined the voting systems debate are needlessly undermining the confidence of voters. However, according to Iowa's Jones, the opposite is true.
"Trustworthy systems must rest on one central principle: trust no-one," Jones said.