Electronic Design

The Ballot Is Open On Electronic Voting

E-voting will play a key role in the upcoming U.S. national election, despite ongoing charges that electronic voting machines are rife with security flaws and may be susceptible to EMI.

Hanging digits? The digital equivalent to hanging chads is a distinct, and to many, a very disturbing possibility. Recent tests of several electronic voting machines suggest the danger of your vote not being counted in November's national election, or that it could be counted more than once.

Four years after a bitter legal and political battle was fought over the vote count in Florida, the issue is now focused on the reliability and security of electronic voting (e-voting) systems. Can they accurately and securely count and record the millions of votes that will be cast next month?

Differences of opinion are as sharp as the country is divided in support of the candidates. But with nearly twice as many voters expected to use direct-recording electronic (DRE) voting machines this year versus 2000, and with no national technical standard or certification requirement for DREs, this will be a major and very public test of technology. Is the technology up to the task?

Several analysts don't think so.

Aviel D. Rubin, a professor of computer science and technical director of the Information Security Institute at Johns Hopkins University, and a member of the National Committee on Voting Integrity, testified before the U.S. Election Assistance Commission that he was "outraged" by the lack of security of DREs. "While today's DREs increase accessibility," he told the commission, "they do not provide adequate security."

Several studies of e-voting hardware and software suggest the entire election process may be at risk in terms of producing inaccurate counts of votes cast. One of the most comprehensive studies, conducted by Compuware Corp., was initiated by the state of Ohio. Compuware identified 57 potential security risks within the software and hardware tested.

The risks were sorted into high, medium, and low categories. Diebold Election Systems had five high-potential risk areas, two medium, and eight low-potential risk areas. Other vendors, including Election Systems & Software (ES&S), Hart InterCivic, and Sequoia Election Systems, also had a variety of risk areas, according to Compuware's analysis.

Another study presented in May at the IEEE Symposium on Security and Privacy, co-authored by Rubin and three other Johns Hopkins University computer science professors, concluded that "this voting system is far below even the most minimal security standards applicable in other contexts." The study identified several vulnerabilities and poor software development processes. It also suggested that without any insider information to guide them, voters could cast unlimited votes without being detected by any mechanisms within the voting terminal software.

The debate over e-voting began to warm up with the passage of the Help America Vote Act in 2002. HAVA provides federal money to states to improve the administration of their elections and to replace punch-card voting equipment with new, advanced voting equipment, such as DREs. One key element of this legislation allows voters to fill out provisional ballots if their eligibility is in question. The process is designed to avoid Florida's experience in 2000 when voters were turned away from the polls because their voter registration was questioned and could not be readily resolved. It's a crucial piece of legislation, particularly if the November election is close.

VOTE AND VOTE AGAIN
One of the most glaring security weaknesses in these machines, according to a number of analyses conducted last year, is a reprogrammable smart card that can be modified, allowing voters to cast multiple ballots without detection. The cards are supposed to be cancelled automatically after voters cast their ballots, but the system was easily circumvented with relatively cheap card programmers.

Diebold Election Systems has received most of the criticism among e-voting machine vendors. In August 2003, the state of Maryland hired a third-party consulting firm, SAIC, which spends much of its time working on technology projects for the Defense Advanced Research Projects Agency and U.S. intelligence agencies, to analyze Diebold's AccuVote-TS system. In September 2003, Maryland made the report public. SAIC said that the system "as implemented in policy, procedure, and technology, is at high risk of compromise."

Despite the problems identified in the IEEE symposium presentation and by SAIC, Maryland plans to purchase the Diebold system, though the state has asked Diebold to make several technical changes in its voting machines. (Maryland's State Board of Elections admits that selecting Diebold is a compromise, but it says that "an alternative system could not be implemented in time to conduct the March 2004 presidential primary election and could jeopardize the November 2004 presidential general election.") The SAIC report suggests that by compromising on security, "the integrity and privacy of these elections may still be in jeopardy."

Another study by the consulting firm RABA Technologies, which last year won a $100 million contract from the National Security Agency for signal intelligence work, further validated the IEEE security symposium's presentation of the Diebold machines.

In September, California Attorney General Bill Lockyer announced plans to sue Diebold on charges it defrauded the state with false claims about its products. Lockyer earlier dropped a criminal investigation of Diebold. However, California's Secretary of State Kevin Shelley said Diebold deceived the state with aggressive marketing that led to the installation of its voting systems, which weren't tested or approved nationally or in California. Diebold has since said it will provide a number of security enhancements in its system and, in August, named a compliance officer to oversee the company's federal qualification and state compliance activities.

PUNCH CARDS IN OHIO
Ohio's Franklin County, which includes Columbus, has been using DREs for 10 years. But Ohio said in July that it would not use Diebold's e-voting machines in the state for this year's general election. The decision was based on preliminary findings from a second round of security testing conducted by Compuware showing evidence of previously identified, but still unresolved, security issues. Despite Florida's experience, James Lee of the Ohio Secretary of State's office says that 69 of the state's 88 counties will use punch cards in the upcoming national election.

The Compuware study, conducted last year, identified risks in each of the four machines it analyzed. Test scenarios varied by vendor because the vendors' DRE systems are set up differently, but the study indicated flaws in each machine tested. According to the study, Diebold's AccuVote-TS supervisor card has an associated PIN provided by the company. Compuware discovered that the PIN is 1111 for all cards issued nationwide, suggesting that an unauthorized person with knowledge of this PIN could gain access to a supervisor card and use it to access the machine's supervisor functions. The study also found that an unauthorized person with access to Diebold's Global Election Management System (GEMS) server could then access the database and change ballot definition files and election results.

The ES&S Tally program, according to Compuware, has an "add-on" feature for collecting data from a broken machine, a function that can be repeated multiple times for the same machine, resulting in overcounting of votes. Another risk was that election results for ES&S's iVotronic machine might be uploaded to its system software multiple times, resulting in overcounting votes.

Compuware also found problems with Hart InterCivic's eSlate 3000 e-voting equipment (Fig. 1), what the company calls its Judge's Booth Controller (JBC). The JBC is connected to each of the company's eSlate 3000 voting machines using a daisy-chained cable. Compuware says the daisy-chain connection between voting units is accessible to the voter and can be disrupted by simply disconnecting a serial port. Once disconnected, the JBC must be power-cycled to bring the disconnected eSlates back on line. The risk, says Compuware, is that any unauthorized person can disconnect the daisy-chain connection, causing a disruption in voting.

In addition, access to supervisory functions in the eSlate 3000 is limited to opening and closing the polls and is controlled by physical access to the JBC and an option password. No warning is provided if the user tries to close the polls before the scheduled closing of the election. If the polls close prematurely, according to Compuware's tests, all eSlates attached to the JBC will be closed, potentially allowing any unauthorized person to access the JBC and close the polls prematurely. Hart InterCivic says it recently made design changes to its e-voting booth that improve its physical security and add intrusion detection. The company also says the processes were changed for its customers, and training procedures were updated to cover issues in the Compuware report.

Compuware also found that Sequoia Voting Systems' AVC Edge can be shut down using a switch on the back of the model without a password. According to tests, anyone could gain access to the AVC Edge while it's being transported to an election site or while in storage.

A HISTORY LESSON
E-voting machines actually can be traced all the way back to 1964 with the Harris Votomatic, which was used in Georgia, Oregon, and California. IBM bought the Harris operation but didn't stick with the voting business very long. Other major industry companies have also taken a crack at the field.

Unisys Corp. has worked with Dell Corp. to develop a voting machine, and Microsoft, Cisco Systems, and Compaq Computer invested in the development of an Internet voting system. Sequoia Voting Systems has provided election services for more than a century and e-voting machines for the past 25 years. The touchscreen version of Sequoia's voting equipment has been around since 1999.

So, how well have e-voting machines worked in past elections? According to Professor Rubin, they seemed to have been rather effective in the 2002 congressional election, and most of the major vendors say they've corrected technical problems found by Compuware and from other studies. "But there's really no way to know," says Rubin. "If the machines record votes incorrectly, we would never find out."

Diebold remains the system of choice in several states and counties, despite all of the critical analysis and bad press. Bloomberg News reported that in March, about a third of 1600 polling places in San Diego County opened late because batteries in Diebold machines ran low. Also, Diebold e-voting machines in Orange and Alameda counties in California caused hundreds of voters to get the wrong ballots because their smart cards, used to register their votes, were coded incorrectly.

California announced in August that it had certified Diebold's AccuVote-TS touchscreen system firmware and software for the November election and that two counties, Alameda and Plumas, will use the system in November. Both counties used the system in the 2002 gubernatorial election. Los Angeles County, the largest county in the U.S., also will use the AccuVote-TS system for early voting. Hart InterCivic, which had no customers for its eSlate system in 2000, sold the system to five counties in Texas and at least one county in five other states for November's election.

Much of the concern surrounding these machines is that they don't provide a paper trail of votes cast. Sequoia says the VeriVote printer upgrade of its AVC Edge system, which lets voters view a paper copy of their electronic ballot before leaving the polling place, has successfully passed federal testing and was used throughout Nevada in its September primary. It will be employed again in November.

The printer is mounted beside the touchscreen and displays the voter's selections behind glass so neither voters nor poll workers can physically remove or alter the paper record. Diebold also provides a voter-verified paper audit trail as an option for its AccuVote-TS. California has required printers for all touchscreen machines used in the state after July 1, 2006.

TECHNICAL STANDARDS?
With no national technical standards for e-voting machines, the IEEE has formed a group known as Project 1538 to create a standard for the evaluation of voting equipment. Essentially, 1538 will develop a standard of requirements and methods for election voting equipment. It won't specify how these machines should be designed or produced. The group's work won't be completed in time to have any impact on this year's general election.

Eventually, the U.S. Election Assistance Commission (EAC), established by Congress under HAVA to develop technical guidelines for voting machinery, is expected to accept the IEEE group's recommendations as a national standard. One of the goals of Project 1538 will be to define electromagnetic-interference (EMI) requirements in e-voting machines.

William A. Radasky, president of Metatech Corp., which specializes in analyzing EMI disturbances and their effects on electronic systems and subsystems, is heading a group within the IEEE EMC Society to study the potential for intentional interference against publicly accessible computing systems—including e-voting machines. "I personally believe that EMI could be a problem for voting machines, especially cell-phone interference," he says. "It's just a matter of knowing where to place the phone."

Radasky's group expects to develop procedures that he hopes will dovetail with the work being done by Project 1583. The group will also look at cell phones. They can do the most damage, Radasky says, when their towers are a great distance from e-voting machines. That's because they will have to work at a higher power, or transmission level, to find a signal. According to Radasky, cell phones can get up to 5 V per meter within a few inches of an e-voting machine.

"You're not going to change any votes, but you could probably shut down the machine. You could prevent people from voting," Radasky says. He adds that his group's work on intentional interference is just starting. "We haven't even had a formal meeting yet, and we expect our effort to take about five years."

NEXT-GENERATION E-VOTING
Can any of this be fixed? One possible solution is so-called "verified voting," using a printer attached to the e-voting machine to generate a hard copy of a voter's choice. But there's also a fear that printers, like the voting terminals, can be tampered with because they are simply paper ballots.

Votegrity, a company founded recently by cryptographer David Chaum, came up with a system of encrypted strips of paper generated by a printer attached to an e-voting machine. The printer enables voters to confirm that their votes were counted before they leave the voting booth. They simply check a serial number on the receipt against decrypted data on the Web. It also allows voters to keep a printed copy of their vote, as a sort of receipt.

ES&S says it's testing a touchscreen machine called AutoMark that will be ready for use early next year. The machine can produce marked paper ballots, which are then run through a scanner that can count both the AutoMark ballots and those that were marked by hand.

Another possibility is optical scanning technology, such as the InkaVote system produced by Election Data Corp. This system substitutes pen marks on paper for punched holes. Voters can check the cards before they leave the polling booth to ensure their votes are registered accurately. InkaVote has been tested and certified in California. In fact, Los Angeles County ordered 45,000 of these units for November.

Lawmakers in at least 14 states that use DREs are considering introducing legislation requiring voter-verified paper audits (Fig. 2). At the federal level, Congressman Rush Holt (D-NJ) last year introduced the Voter Confidence and Increased Accessibility Act (H.R. 2239.IH), which would require a voter-verified paper record for use in manual audits of DREs.

U.S. military personnel will have their own system of e-voting this year, which is also not without controversy. They can vote by faxing or e-mailing their ballots, but only after they waive their right to a secret ballot. Several independent sources have questioned the system, called the Electronic Transmission Service, and the choice of the company assigned to manage it, Omega Technologies. Omega's chief executive, Patricia Williams, has donated several thousand dollars to the National Republican Congressional Committee and serves on the committee's Business Advisory Council.

As of early September, the U.S. Department of Defense was withholding information about the service. Some editorials have criticized the service, which also was used in the 2000 and 2002 elections. Omega didn't handle the military ballots in those elections, but the Pentagon won't say who did.

NEED MORE INFORMATION?
Cisco Systems www.cisco.com
Compuware Corp. www.compuware.com
Dell www.dell.com
Diebold Election Systems www.dieboldes.com
Election Data Corp. www.inkavote.com
Election Systems & Software www.essvote.com
Hart InterCivic www.hartintercivic.com
IEEE www.ieee.org
Metatech Corp. www.metatechcorp.com
Microsoft www.microsoft.com
RABA Technologies www.raba.com
SAIC www.saic.com
Sequoia Voting Systems www.sequoiavote.com
Unisys www.unisys.com
Votegrity www.voterverifiable.com
Wyle Laboratories www.wylelabs.com
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish