With just nine months to go until Election Day, electronic voting machines remain as iffy and controversial as ever. The new technology was once widely viewed as an improvement over the antiquated paper ballots used in some states during the highly contentious 2000 presidential race that ushered George W. Bush into the White House (think: hanging chads). But it is still plagued by accuracy and security concerns.

In a recent report, the Government Accountability Office (GAO)—Congress's investigative arm—gave at best a lukewarm endorsement of electronic voting technology. Congress called upon the GAO to investigate the role that iVotronic direct-recording electronic (DRE) touch-screen voting machines, made by Election Systems & Software, Inc., in Omaha, Neb., played in the highly controversial 2006 election for Florida's 13th Congressional District, in which Republican Vern Buchanan edged out Democrat Christine Jennings by a whisker-thin 369 vote margin.

During that election, more than 18,000 of the 143,532 ballots cast on the e-voting machines in Florida's Sarasota County did not register a vote for either candidate. The GAO checked for flaws in voting machines used there during the election. As part of the effort, investigators examined the firmware (software embedded in the devices) to make sure it matched that certified by the State of Florida. They also tested the devices to make sure they properly recorded and counted the ballots and whether they could provide accurate results even if miscalibrated.

The agency's conclusion: "Although the test results cannot be used to provide absolute assurance, we believe that these test results, combined with the other reviews that have been conducted by Florida, GAO, and others, have significantly reduced the possibility that the iVotronic DREs were the cause of the undervote."

Although hardly a ringing endorsement for e-voting technology, the GAO's findings contradicted those of researchers at Dartmouth College and the University of California, Los Angeles, who, after conducting a separate study (released in September) found that the "exceptionally high ... undervote rate" in the Florida's 13th District race "was almost certainly caused by" a poorly designed and confusing electronic ballot displayed on the voting machine's touch screen.

Florida's own assessment of its e-voting technology statewide has been even less enthusiastic. The state last May commissioned a review led by Florida State University's Security and Assurance in Information Technology (SAIT) laboratory of voting system software made by Diebold Election Systems (which now calls itself Premier Election Solutions). Two months later, investigators released a scathing report in which they describe a glitch in Diebold's optical-scan firmware that enabled a "type of vote manipulation if an adversary can introduce an unofficial memory card into an active terminal" prior to an election. Such a card can be preprogrammed to essentially swap the electronically tabulated votes of two candidates or reroute all of one candidate's votes to a different candidate. The investigators simulated a cyber strike on their test systems and had no trouble carrying it out despite new mechanisms designed to protect against "similarly documented attacks in previous studies," the report states.

SAIT also found that the systems' encryption algorithms "had some cryptographic flaws," says SAIT co-director Alec Yasinsac, a Florida State University associate professor of computer science. In particular, the keys required to lock and unlock encrypted information were difficult to manage and safeguard against potential hackers. Once they cracked the encryption code, investigators found, intruders were able to access all encrypted data in the voting machine. "The types of attacks are very real," he says.

One of the greatest challenges when securing computers is accounting for the unexpected, says Seth Hallem, CEO of Coverity, Inc., the San Francisco–based maker of the source code analysis software that SAIT used during its probe of Diebold's system. This is becoming more difficult as increasingly sophisticated software—including that which runs electronic voting machines—continues to grow to encyclopedic portions. One program can contain tens of millions of lines of code.

Whereas certain technology—such as pacemakers and other medical devices—are heavily regulated and must adhere to strict design and construction standards, voting machines are still mostly unregulated. "There's no validation of how the software for these systems is designed and built," Hallem says, adding that this is "surprising given the importance of voting machines to our national infrastructure."

This has caused problems throughout the U.S. as different states attempt to assess the effectiveness of their e-voting technology. Following a review of e-voting machine security vulnerabilities and source code, California Secretary of State Debra Bowen in August decertified all e-voting machines in her state, other than those designed for disabled voters. Ohio Secretary of State Jennifer Brunner recently released the results of a probe into her state's electronic voting systems that concluded they, too, were riddled with "critical security failures" that could impact the integrity of elections.

"In the year 2000, when the Florida election went nuts, there were some electronic systems, but by and large the vast majority was done on handwritten ballots and punch ballots," SAIT co-director Yasinsac says. In the wake of the controversy, e-voting was held up as a way to restore integrity to the process. "We pushed this technology even though it was not ready," he adds. "Much of the software that the machines used is more than 10 years old and has been revised heavily, making it harder to review."

Any significant changes in election technology will come too late for this year's bid for the White House. In states such as Maryland, where Democratic Governor Martin O'Malley has proposed spending $6.8 million to buy new optical-scan machines to improve the accuracy of that state's elections, the technology will not be ready to go until 2010. Meantime, legislation introduced to the U.S. House of Representatives last year by Rep. Rush Holt [D–N.J.] that would require voter-verified permanent paper ballots (amending the tech-friendly but misguided Help America Vote Act of 2002) is languishing in committee and will not impact this year's elections.