Ballot box blues

States, wary of DRE's software flaws, look for a verifiable paper trail <@VM>Sidebar'California's corrections

In 2006, a candidate for city council in St. Petersburg, Fla., had trouble voting for himself when the direct-recording electronic (DRE) machine he was using switched his vote to his opponent. Twice. He moved to another machine and cast his ballot, but lost the election anyway.

In Franklin County, Ohio, the 2004 presidential election raised eyebrows when results from one precinct showed President Bush winning by nearly 4,000 votes. The precinct only had 800 voters.

These and other documented problems with DRE voting machines, along with the lack of a verifiable paper trail, have left some states in a quandary as the November election approaches.

Software flaws have raised fears that the potential for inaccurate results could cloud the elections, but at this late date, they're likely stuck with the systems for this election cycle.

The potential for problems is widespread: In 2006, 34 percent of the country's 3,114 counties ' and 39 percent of all voters ' used electronic voting systems, according to a study by Election Data Services, a political consulting firm. DRE machines were used in 42 states, representing significant growth since 2000.

After reports of problems in previous elections with DRE voting machines, several states commissioned independent studies that concluded that DRE software lacks the reliability and verifiability to generate trustworthy results.

As many as six states re-evaluated their adoption of DRE. And dozens of states have adopted or are considering legislation or regulations that would address what critics say is DRE's biggest weakness ' the lack of a paper trail ' by requiring verifiable ballots.

A series of DRE system studies in California ' known as the Top-to-Bottom Review (GCN.com/1043) ' conducted last year by computer scientists from the University of California's Berkeley and Davis campuses, reported that DRE software showed architectural weaknesses, implementation flaws and vulnerabilities comparable to those found in commercial software built with little attention to information technology security. The report states that the DRE systems could be compromised without access to any of the manufacturers' proprietary code, and such attacks could permit wholesale and undetectable changes in election results.

California decertified and subsequently recertified those systems with several conditions attached (see 'California's corrections,' Page 20).

In Ohio, the secretary of state's Evaluation and Validation of Election-Related Equipment, Standards and Testing (Everest) study (GCN.com/1042) found flaws in the design and use of DRE system software provided by all three of the state's vendors: Election Systems and Software, Hart InterCivic and Premier Election Solutions.

Analysts found that each of the three vendors' systems could be compromised, sometimes by relatively simple attacks. 'To put it in everyday terms, the tools needed to compromise an accurate vote count could be as simple as tampering with the paper audit trail connector or using a magnet and a personal digital assistant,' Ohio Secretary of State Jennifer Brunner said.

A National Institute of Standards and Technology draft report issued in December 2006 pointed out that software-dependent systems such as DRE machines cannot be audited against any proof of the voter's intent, which contributes to 'continued questions about voting system security and diminished public confidence in elections.'

The report expressed doubt that the shortcoming could be corrected. 'NIST does not know how to write testable requirements to make DREs secure, and NIST's recommendation'is that the DRE in practical terms cannot be made secure,' the report states.

NIST recommended the use of software-independent systems with a paper trail.

Most states have some form of voter-verified paper records and use them either statewide or on a county-by-county basis, the report states.

Others have proposed laws or regulations that would require paper records. Only five states ' Delaware, Georgia, Louisiana, Maryland and South Carolina ' use DRE systems alone.

In a national election, however, that still leaves a significant portion of voters reliant on electronic records.

'The problem in Maryland is, because it is a paperless system, you don't know whether the vote has been recorded internally,' said Robert Ferraro, co-director of SAVEourVotes.org and an advocate for replacing DRE equipment. 'So when you report the problem to [election officials], they don't know either.'

When a machine crashes, local election officials often move voters to other machines. 'In some cases, they have wound up with more votes than voters at the end of the day,' Ferraro said. 'So you can conclude that in some cases, those votes [from crashed machines] were recorded.'

Pushing paper

The problems have prompted a drive to replace electronic machines, though it's not likely to happen for this election. Earlier this month, a bill in the House that would have encouraged states to jettison DRE systems and return to paper ballots fell short of the two-thirds majority required to qualify for special expedited approval.

Rep. Rush Holt (D-N.J.), who sponsored the Emergency Assistance for Secure Elections Act of 2008, blamed White House opposition based on budget considerations for the bill's failure.

'This bill would represent a real step forward in our effort to protect the accuracy, integrity and security of the November elections,' Holt said April 15. 'The bill that the House leadership scheduled for a vote today is the same one that passed two weeks ago without the objection of a single [House Administration] Committee member.'

Vendors and government officials who have promoted the adoption of the technology reject arguments that the systems are unreliable.

DRE proponents point to the systems' advantages, such as improved accessibility and the favorable evaluations that voting administration officials have reported in dozens of elections.

The voting equipment industry's trade association discounts the criticisms of the systems' IT security on the grounds that the state studies don't account for real-world conditions and the full range of fraud-prevention measures built into voting policies and procedures.

The state-sponsored election technology studies don't reflect the entire election process under actual conditions, said David Beirne, executive director at the Election Technology Council. The council represents major voting system vendors.

'To date, none of these state-driven reviews of voting systems have embraced the three principles of election integrity: people, processes and technology,' Beirne said in an e-mail response to questions.

'When treated in a vacuum, no voting unit, or any technology, is going to withstand that level of scrutiny,' he said. 'It is unfortunate [that the state studies share this flaw] because one would think that state officials would be most interested to know if their procedures [that] operate around a voting system currently mitigate any of the documented threats to voting systems.'

Beirne said the voting process should be viewed as a whole, including the policies and processes set by state officials. 'The zero-tolerance threat model that has been used to review voting systems is unprecedented when it comes to voting systems, whether paper-based or electronic,' he said.

Stick with it

Despite doubts about the systems, voting process experts with varying views on election technology agree that it is too late to change the systems that most voters will use in November.

The drive to adopt DRE systems gained steam with the help of the Election Assistance Commission, a bipartisan organization Congress established via the Help America Vote Act of 2002.

EAC Commissioner Gracia Hillman cited the improvements that DRE technology affords, even though she said she realized there were widespread doubts caused by the lack of a verifiable paper record.

'On the benefits side, you have the factors of improved accessibility, not only by helping voters who have physical or cognitive disabilities but by helping election administrators accommodate the use of ballots in several different languages,' Hillman said. 'It is easier to program several different languages into a DRE device than to print ballots in multiple languages.'

'However,' she added, 'right now, those advantages are in tension with voters' mistrust of a system that does not produce a piece of paper that the voter can see.'

Hillman said few vote counts generated by DRE systems have led to challenges, and for the most part, the counties that have adopted the systems have done so successfully.

She said software flaws could play a role in challenges following the November general elections. 'If there is a close election in a jurisdiction that uses DRE [technology] without a voter-verifiable paper audit trail, I will not be surprised if questions are raised about software reliability,' Hillman said.

Brian Chess, chief scientist and co-founder at Fortify Software, whose software security company worked with Ohio's Everest study and California's Top-to-Bottom Review, agreed that states will likely have to go ahead with DRE systems in this election.

'The problem with the upcoming [general] election is that any county that doesn't have its election system locked in by now is in real trouble,' Chess said.

One of the most common and severe problems with the Microsoft Windows applications found in DRE and related election systems is the risk of buffer overflow problems, Chess said. In that case, programmers' mathematical errors can generate a fault that causes some memory locations to be improperly overwritten.

At that point, an intruder could insert malicious code, Chess said.

'Last year's events in California comprised one of the great victories for computer security,' he said, referring to the top-to-bottom voting system review. 'The techies got together and said the machines were not reliable, and the politicians listened.'

Beirne rejected the general attacks on DRE system software reliability. 'From an academic standpoint, there may be a disagreement as to whether something is programmed using correct programming conventions or is the best manner for doing so. I equate this to an English professor telling me not to use passive voice.'
After University of California computer scientists conducted a technical evaluation in 2007, California Secretary of State Debra Bowen effectively decertified all the direct-recording electronic (DRE) systems formerly approved for use in the state, pending adoption of the following security upgrades. The systems have since been recertified.

● Reinstall the firmware or software in all voting system components.

● Remove, block or disable access to unneeded ports on the machines.

● Harden the servers to improve security.

● Follow security protocols recommended or required by the vendor.

● Ban all modem and wireless connections, regardless of their purpose, to prevent unauthorized access to computers, networks or the Internet, all of which would present significant security risks.

● Add security seal and chain-of-custody provisions, some of which already existed.

● Require a 100 percent manual count of all ballots cast on the Sequoia Voting Systems and Diebold Election Systems (now Premier Election Solutions) DRE machines.

● Adopt procedures to require more manual auditing in cases in which the results of a race are within a certain margin. The secretary of state's office planned to specify the details of the procedures after consulting with election officials.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above