At the Last HOPE conference, University of Pennsylvania researchers who led EVEREST's analysis of ES&S e-voting technology described exploitable security vulnerabilities in almost every hardware and software component of ES&S's touch-screen and optical-scan systems. Some of these flaws, Clark said, could allow a single voter or poll worker with bad intentions to alter countywide election results, possibly without election officials ever knowing that the results had been tampered with. "There wasn't an attack that we tried that we weren't able to carry out," she added. "We learned that every current e-voting system has serious exploitable vulnerabilities."
In addition to investing in Premier systems, Ohio has spent more than $41 million on ES&S e-voting technology and is one of 43 states that are ES&S customers.
When contacted for this story ES&S pointed to statements made earlier this year regarding EVEREST. Like Premier, ES&S's conclusion is that anyone attempting to replicate many of EVEREST tests would need "unfettered access to the DRE unit" as well as detailed knowledge of how the system works (to wit, its communications protocol with its audit log).
Despite their differences, Ohio and Premier are stuck with each other for the 2008 presidential election. "With the election being less than three months away, the counties will be using the technology they have," Brunner says. To head off any potential problems, Ohio counties using touch-screen voting systems are being required to print a hard copy of at least a portion of electronically cast votes, which will provide an audit trail. Voters will also be offered the option of filling out paper ballots that can be read by optical scanners and registered in a database.
E-voting systems have to be completely redesigned with security in mind, McDaniel says. In the short term, this means adding more thorough vote-auditing capabilities so that discrepancies can be investigated. "The elections systems should have the same quality, the same reliability, the same testing and the same certification requirements as financial systems," he says. "If the systems used by banks, which have to report to the SEC [Securities and Exchange Commission], had this level of quality, no one would put their money in the bank."
Looking beyond November, Brunner says that she wants Ohio to rely more on optical-scan technology. "Later on," she adds, "there may be a place for touch-screen (systems)."