In their rush to avoid a repeat of the controversy that plagued the 2000 presidential election, and to meet the requirements of Congress's hastily mandated 2002 Help America Vote Act (HAVA), states and counties flocked to electronic voting systems they hoped would eliminate hanging chads and other flaws inherent in paper-based systems. Six years later, with another presidential election less than three months away, many e-voting systems are fraught with security glitches, and the technology has yet to prove itself as the solution voters were looking for.
Such systems could allow voters and poll workers to place multiple votes, crash the systems by loading viruses, and fake vote tallies, according to studies commissioned by the states of California and Ohio within the past year. Makers of these systems have countered that the test settings were unrealistic. But that is not helping election officials sleep better at night.
One of the reasons e-voting systems turned out to be such a failure is that the only people involved in checking these systems were the vendors, who wanted to sell their technology, and the local election officials, who were ill-equipped to understand the security issues, says David Dill, a Stanford University computer science professor and founder of the Verified Voting Foundation, a nonprofit organization pushing for the implementation of voting processes that can more easily be verified and audited. "There was a certification process in place," Dill says, "but it had very little to do with security."
Dill is the author of Attackdog, threat modeling software that can examine more than 9,000 potential ways a voting system can be attacked, including computer hacking, ballot tampering and voter impersonation. Attackdog is part of a larger effort called A Center for Correct, Usable, Reliable, Auditable and Transparent Elections (ACCURATE) , which was launched in 2005 by the National Science Foundation with $7.5 million in funding. "Nothing we do now will affect the November election," Dill says. "We don't know how to make secure paperless voting."
This sentiment is echoed in many places throughout the U.S., most prominently in the hotly contested state of Ohio, where Secretary of State Jennifer Brunner has commissioned a series of tests over the past year to determine whether e-voting systems are secure enough to be trusted. Based on these tests Brunner has concluded that they are not secure, a decision that Premier Election Solutions, Inc., in Allen, Tex., took exception to. Premier sued Brunner and one Ohio county board of elections in May in a move to get the courts to rule that the company had fulfilled its contractual obligations to the state.
Brunner struck back August 6 by countersuing Premier, formerly Diebold Election Systems, Inc., and maker of the touch-screen voting systems into which Ohio has invested more than $62 million since 2005. Brunner's suit accuses Premier of, among other things, breach of contract and breach of warranty, and seeks court acknowledgement that Premier did not honor its contract. The countersuit also asks for damages of at least $25,000 against Premier for voting system malfunctions that have caused problems in at least 11 of the 44 counties using Premier's technology during elections since 2005. "We believe that Premier's equipment has failed to perform as required by its contracts and according to state law," Brunner says. "We have taken this action to recover taxpayer funds spent for voting systems used in half of the state's 88 counties."
Brunner and Premier have locked horns several times since she took office in January 2007 over whether the company's DRE (direct recorded election) touch-screen electronic voting technology works properly and is secure. The problem came to a head in April, when election officials in Ohio's Butler County detected a vote count discrepancy during the primary election. The county board of elections staff determined that the Premier DRE system had malfunctioned and failed to count votes from memory cards uploaded to the system's vote tabulation computer server, Brunner says, adding, "This is not what we bargained for."
Suspecting problems with all of the e-voting technology that had so far cost Ohio $112 million, Brunner last year commissioned Project EVEREST, a comprehensive security review of the electronic voting technology used throughout Ohio, to identify any problems that might make elections vulnerable to tampering. During the 10-week project, teams of academic researchers from Pennsylvania State University, the University of Pennsylvania and WebWise Security (a security firm formed in 2005 by faculty and students from the University of California, Santa Barbara's security research group) examined DRE touch-screen and optical-scan voting systems from Premier, Election Systems and Software (ES&S) in Omaha, Neb., and Austin, Tex.–based Hart InterCivic as well as the software that manages these systems.
EVEREST researchers found exploitable security weaknesses in all three vendors' systems, Brunner said in a statement when the project concluded in December. "Many of these vulnerabilities represent practical threats to the integrity of elections as they are conducted in Ohio," she said. "We found vulnerabilities in different vendor systems that would, for example, allow voters and poll workers to place multiple votes, to infect the precinct with virus software or to corrupt previously cast votes—sometimes irrevocably."
"None of the systems out there are even remotely adequate given the importance of the data they handle," says Patrick McDaniel, a Penn State professor of information security who led the EVEREST testing. A lot of the attacks that McDaniel and his team tested could be carried out at a polling place or county elections office in a matter of seconds. An example: when researchers placed a piece of white tape over part of an e-voting system's scanner, they were able to effectively block it from reading the entire ballot. In other words, a person could put the tape in a place that kept the system from counting votes for a particular candidate. The team also found that the keys to unlock Hart's ballot box could also be used to open the ballot boxes on the Premier systems.
In a more serious attack, McDaniel found that his researchers could replace the memory card in some of the e-voting systems. "Any software you put on your card would uploaded into the system's computer," he says.
Premier had already responded to EVEREST's findings as well as a similar project commissioned by California Secretary of State Debra Bowen called Top-to-Bottom Review in March by issuing a report that emphasized that the EVEREST researchers did their work with "no physical or operational security controls" and did not simulate realistic election day conditions. Premier could not be reached for comment.
The EVEREST researchers don't dispute that. Sandy Clark, an EVEREST researcher and the computing systems manager of Princeton University's Atmospheric and Oceanic Sciences Program, said at the Last HOPE hacker's conference held last month in New York City that she and her EVEREST colleagues "treated the project as a hack."
At the Last HOPE conference, University of Pennsylvania researchers who led EVEREST's analysis of ES&S e-voting technology described exploitable security vulnerabilities in almost every hardware and software component of ES&S's touch-screen and optical-scan systems. Some of these flaws, Clark said, could allow a single voter or poll worker with bad intentions to alter countywide election results, possibly without election officials ever knowing that the results had been tampered with. "There wasn't an attack that we tried that we weren't able to carry out," she added. "We learned that every current e-voting system has serious exploitable vulnerabilities."
In addition to investing in Premier systems, Ohio has spent more than $41 million on ES&S e-voting technology and is one of 43 states that are ES&S customers.
When contacted for this story ES&S pointed to statements made earlier this year regarding EVEREST. Like Premier, ES&S's conclusion is that anyone attempting to replicate many of EVEREST tests would need "unfettered access to the DRE unit" as well as detailed knowledge of how the system works (to wit, its communications protocol with its audit log).
Despite their differences, Ohio and Premier are stuck with each other for the 2008 presidential election. "With the election being less than three months away, the counties will be using the technology they have," Brunner says. To head off any potential problems, Ohio counties using touch-screen voting systems are being required to print a hard copy of at least a portion of electronically cast votes, which will provide an audit trail. Voters will also be offered the option of filling out paper ballots that can be read by optical scanners and registered in a database.
E-voting systems have to be completely redesigned with security in mind, McDaniel says. In the short term, this means adding more thorough vote-auditing capabilities so that discrepancies can be investigated. "The elections systems should have the same quality, the same reliability, the same testing and the same certification requirements as financial systems," he says. "If the systems used by banks, which have to report to the SEC [Securities and Exchange Commission], had this level of quality, no one would put their money in the bank."
Looking beyond November, Brunner says that she wants Ohio to rely more on optical-scan technology. "Later on," she adds, "there may be a place for touch-screen (systems)."