State goes to bat for vote machines
Sept. 19, 2006
By Katy Human
Denver Post Staff Writer
A sharp thumbnail, a distracted poll worker or a determined hacker could undermine Colorado's 2006 election, according to two computer experts in a lawsuit challenging the state.
The reports were done for the plaintiffs - 13 Colorado residents - and were released Monday.
The lawsuit, which goes to trial Wednesday, alleges that four types of electronic voting machines used in the state are vulnerable to fraud and should not have been certified by the secretary of state's office.
Douglas Jones, a computer-security expert at the University of Iowa in Iowa City, and Dan Wallach, at Rice University in Houston, wrote that Colorado's election rules were carelessly drafted.
The voting machines - made by Diebold Election Systems Inc., Sequoia Voting Systems Inc., Elections Systems & Software Inc. and Hart InterCivic Inc. - were not evaluated for accuracy or vulnerability to problems.
Security documentation was also weak or lacking, they said.
Colorado's system for certifying electronic voting machines is so flawed, it wouldn't catch security flaws and programming errors that could lead to election mistakes, the two experts said.
"We're not just worried about defense against hackers, we're worried about defense against normal carelessness," Jones said.
Without sufficient backup and security, even an election volunteer pressing too many buttons might be able to accidently jam a system, they said.
"You need to make sure you're not prone to careless errors. ... Colorado hasn't," Jones said.
Secretary of state staffers said they could not comment because of the pending trial.
County clerks in Jefferson and Mesa counties said the lawsuit itself threatens to disrupt this year's elections ...
"We've had no problems, and we've used ES&S machines since 2002," said Janice Ward, Mesa County clerk and recorder.
In depositions, Jones and Wallach wrote:
ES&S stored an electronic encryption key - a description of how to break security codes - alongside the voting data it was meant to protect, a "fundamental security error."
Some of the documentation for the Sequoia machines was so vague and useless, it would "get a student laughed out of an undergraduate course in software engineering."
When state officials evaluated Sequoia machine documentation, someone crossed out several F's for fail and replaced them with P's for pass, with no reasons given.
Jones said he worried as much about accidental problems - poor coding or careless handling of the machines - as much as deliberate hacking.
In Colorado, elections officials with weak computer-security training won't necessarily know whether someone has tampered, deliberately or accidentally, with the machines.
Sticker-like security seals are often used to detect tampering with voting machines' innards, he said, but there are easy ways to circumvent that system.
"If I want to throw the election into turmoil, all I have to do is put a thumbnail in and break it," Jones said.
All contents Copyright 2006 The Denver Post or other copyright holders. All rights reserved. This material may not be published, broadcast, rewritten or redistributed for any commercial purpose.