Issues in electronic voting machine security

A number of recent studies have highlighted the security concerns over e-voting machines.

When it comes down to it, voting systems — electronic or other -- serve one important purpose. They must convince the loser that they have lost fairly. Americans have other stringent criteria they want their voting systems to meet though. Voting systems must be auditable; when things get close, the results should be available to be re-checked. Voting systems must also be secure, accurate, reliable and accessible.

Oh, and we want the election results, now.

Electronic voting machines, able to tally the votes faster and easier, have the advantage of efficiency.

Ben Jun, vice president of technology at data security company, Cryptography Research, Inc., said that with a higher level of public scrutiny, electronic voting machines are very different from the type of machines we are used to building and administering.

And according to the findings of a 2007 top-to-bottom review of the voting systems in California, electronic voting machines aren't secure. After finding a number of security vulnerabilities in all of the e-voting machines analysed, Secretary of State Debra Bowen has significantly restricted the use of such systems in the state, limiting them to one per polling place, only to be used by handicapped persons.

“It was a big deal because as far as the counties were concerned, completing a review of voting machines in 2007 when you has a big election in 2008 was short notice,” Brian Chess, founder and chief scientist at Fortify told SCMagazineUS.com.

Electronic voting includes both touch screen and optical scan units. With optical scan voting systems, the voter marks their ballot by hand then ballots are scanned, tabulated and written to a memory card. But it's the touch screen machines that have come under fire. Numerous studies have shown that it would be easy to introduce malicious software into e-voting machines and sway an election.

A study conducted by Princeton University researchers was released recently stating that New Jersey's electronic voting system could be easily hacked about seven minutes. Researchers said in the report that this exploit would be practically undetectable.

Chris Riggall, spokesperson for voting product retailer Premier Election Solutions whose parent company is e-voting machine retailer Diebold told SCMagazineUS.com that the studies claiming it's possible to introduce malicious code into e-voting machine software have never been conducted in a real-world voting environment, with the election safeguards that are taken.

Riggall said, in addition, with e-voting, instances of fraud haven't happened yet, while other forms of voting have experienced known fraud.

A recent report titled “Voting in America” by Fortify rated typical voting techniques from best to worst. Direct Recording Electronic (DRE) voting was rated fourth out of six, behind hand counted paper, optical scan and absentee voting.

DRE voting was only rated ahead of lever machine and punch card voting. The advantages of these machines are the privacy, ease of use, ability to support multiple languages, ability to accommodate voters with disabilities and the instantaneous results.

DRE voting accounts for about a third of all voting, Chess said. Though there are some advantages, Fortify rated DRE voting one of the worst because of its lack of verifiability and accuracy. Some electronic voting machines have been cited as more secure, namely those with voter-verified paper audit trail (VVPAT) capability.

Every time a vote is recorded on one of these e-voting machines with VVPAT technology, there is a printout for the voter, so there is a paper record that can be recounted if necessary. Jun is a proponent of VVPAT technology and said most counties are now purchasing e-voting machines with this feature but some voters will be using machines without this capability.

“The whole point of the system is to have a very strong check,” Jun said. “Unfortunately there are some counties that have purchased machines without this option and I think that's a mistake.”

On Nov. 4, 104,000 Diebold touch screen electronic voting machine units will be used throughout the country and 22,000 optical scan ballot tabulators will be used. Almost 70 percent of the Diebold touch screens in the field produce VVPAT, Riggall said.

The majority of jurisdictions using Diebold equipment will be voting on the optical scan system. Only one optical scan tabulator is needed per precinct, while some precincts may have up to 20 touch screen units operating at once, Riggall said.

While e-voting machines with VVPAT technology are better than those without, having this technology doesn't make them completely secure.

“This modification hasn't been 100 percent effective — printers jam and run out of ink and the glass that projects receipts from tamper becomes scratched and difficult to see through,” the report states.

In their report, Fortify also recommend measures to ensure the safety of electronic voting systems going forward.

Future improvements to the election process should be made as a collaborative effort between state and federal election officials and e-voting machine vendors to ensure security is built into the machine's software. Vendors should also be working with the commercial sector to conduct code review and penetration testing on machines, the report recommends.

Another new report detailing how prepared each state is to deal with voting system failure in November also prefers other voting systems over DRE machines. “Is America Ready to Vote?” was conducted by the Brennan Center for Justice at New York University School of Law, Common Cause Education Fund and Verified Voting foundation.

The report states that optical scan ballot systems offer advantages over DRE systems with or without VVPAT technology and should replace DREs. In addition, if DREs are used, they should not be used without VVPAT technology.

The report indicates however, that 19 states use machines without VVPAT technology.

“Such records can be an important check to ensure that corrupt software or a programming error did not result in incorrect machine total,” the report states.

Even with VVPAT technology as an additional safeguard, it won't provide any benefit if the paper record is not audited, which the vast majority of states don't do.

“Paper records will not prevent programming errors, software bugs or the introduction of malicious software into voting systems,” the report states.

Bev Harris, founder of Black Box Voting told SCMagazineUS.com that VVPAT technology or not, e-voting machines are not secure. She said the core of the issue is not whether machines are secure, but whether all votes are counted in public.

It's a debate that has been going on for the past decade at least and reaches beyond electronic voting machines, Chess said. Is your code more secure whether it's open or closed?

“As far as I'm concerned it's basically a draw,” Chess said.

Jun said he doesn't think making the source code open to public review will necessarily make machines more secure.

Harris said open-source code is a right of the public's and is necessary to ensure a secure and accurate election. All computerised voting is completely vulnerable to inside manipulation. States and counties cannot secure a secure and accurate election, only the public can do that, Harris said.

“A machine can never be ‘secure' against its own administrator,” Harris said.

Riggall said with e-voting there are significantly more protections against the threat of inside manipulation compared to paper ballot voting.

The machines print out a results tape at the end of an election that looks like a cash register printout with all the votes which would be reviewable, along with the onboard memory of the unit itself. If available, VVPAT would be also reviewable.

“The security bar for e-voting machines keeps getting raised and that's a good thing,” Riggall said.

Ed Felten, professor of computer science at Princeton University agrees that having electronic voting machines source code available to public scrutiny does help secure an election and additionally helps public confidence.

“Even those who do cannot read the source code itself can have more confidence in knowing that it is available to experts,” Felten said.

See original article on scmagazineus.com

Copyright © SC Magazine, US edition

evotinghousemccainnovemberobamapresidentialsecuritywashingtonwhite