For years, computer scientists have warned that electronic voting systems, which generally employ touch screens or keypads to record votes onto electronic storage media, are vulnerable to tampering. Citing such security concerns, influential business magazine Fortune recently named electronic voting the Worst Technology of 2003.
Although Ohio Secretary of State Ken Blackwell has certified electronic voting systems in the past without in-depth security reviews, he recently hired independent consultants to evaluate the four systems that will replace punch-card voting in the state. Compuware Corporation conducted a security review of the hardware — voting terminals and network servers — and software — source code and operating systems — that comprise systems produced by Diebold Election Systems, Election Systems and Software (ESS), Hart InterCivic and Sequoia Voting Systems.
The study, released in late 2003, revealed numerous security risks: Diebold's system contains five high-risk security issues and 15 total security risks, ESS contained one high-risk issue and 17 overall, Hart contained four high and 10 overall and Sequoia contained three high and 15 overall.
Many of these risks exist because the vendors utilize no data encryption whatsoever or use very weak encryption methods to protect sensitive data. Data encryption technology is now widely available, easily employed and very powerful, consistently thwarting all but the most sophisticated hackers. Yet not one of Ohio's four voting systems encrypts audit logs — records used to determine if fraud has occurred — or ballot definitions — files that display candidate names and issues on the voting terminal screen and translate voters' selections into actual votes. Even the vote counts, the Holy Grail for those attempting to illegally change the outcome of an election, are unencrypted on the ESS, Hart and Sequoia systems and are only weakly encrypted on the Diebold system. Consequently, Compuware found that an unauthorized person could alter any or all of these three vital components on each of the four systems.
A person with access to the ballot definition could, with very little technical knowledge, alter the definition so that, when voters press a screen to vote for Candidate A, the vote is actually registered to Candidate B or vice versa, effectively switching the results of the election. This would be a powerful, predictable tool in a partisan polling location. Since audit logs are designed to alert officials to inconsistencies, modifying them to coincide with vote counts or ballot definitions that have been altered would effectively conceal the crime.
Compuware also found that the Diebold and ESS systems allow unencrypted ballot definitions and vote counts to be transferred between polling locations and election headquarters over unsecured routes, such as the Internet. This shortcoming will not affect Ohio, because election data aren't transmitted in that manner, according to Carlo LoParo, the Blackwell's spokesman. Ballot definitions are loaded directly onto voting terminals at election headquarters and vote counts contained on removable storage devices are hand-delivered to election headquarters after the polls close.
The card-based technology utilized by Diebold and Sequoia presents yet another security risk. Voters initiate a voting session by inserting plastic cards, known as smart cards, into the terminal. Because the communication between the smart card and the terminals is not encrypted, a knowledgeable person could cast multiple votes by creating homemade smart cards. The systems would interpret this as numerous people voting legitimately and, due to the privacy of the voting booth, this fraud could go unnoticed.
Compuware also discovered that Diebold encodes the poll supervisor's smart card with an unchangeable password of "1111," which Compuware guessed in less than two minutes. ESS hard-codes its supervisor cards with two three-digit passwords and allows the sole user-defined password to be disabled. Hart includes only an optional password into its source code and, on the Sequoia system, merely pressing a button on the back of the voting machine accesses supervisory functions. A secure system would require user-defined passwords, at least six digits in length and comprised of a complex mix of letters, numbers and symbols.
Because of such lax controls, an unauthorized person could end an election or erase counts for an entire polling location on the Diebold, ESS and Sequoia systems. On the ESS system, access to a supervisor's card also allows a person to cast multiple votes. On the Hart system, supervisory functions are limited to opening and closing the polls. Compuware also discovered a flaw that could cause the ESS system to over-count votes.
The four software vendors must now remedy these problems and submit their systems for re-certification. LoParo expects the vendors to succeed.
"All of the problems discovered in the study are easily correctable," he says.
Some of the machines were expected to be used in the March 2 primary election, but Blackwell has pushed that implementation date back to the special election in August. Blackwell will also seek to extend the federal deadline for statewide implementation to August 2006.
But merely following Compuware's recommendations will not result in secure voting, according to Aviel Rubin, a computer security expert with the Information Security Institute at Johns Hopkins University.
"The Ohio study found a very small subset of the problems that I believe exist with these machines," Rubin told broadcast news program Democracy Now. "If they fix all of the things in the Ohio reports, they're still going to have some very insecure voting machines."
With the current technology, there is one way to verify with an acceptable degree of certainty that a selection for Candidate A results in a vote for Candidate A: Through a rigorous audit process, paper verification of some voters' selections must be traced to election results. California requires such verifications and audits, and federal legislation in both houses of Congress would mandate it for all states.
But even when confronted with findings such as the Compuware report, vendors insist their machines are reliable and secure and that audits comparing paper verifications to machine-generated results are unnecessary. Blackwell apparently believes these unfounded claims. Ohio doesn't plan to require such audits unless forced to by Washington.