E-voting hobbled by security concerns

Nearly all electronic voting machines in use today effectively remain black boxes without external methods of verifying the results.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
7 min read
It's been nearly five years since Americans received a painful education on the perils of traditional voting machines in Florida and almost one year since the 2004 election revealed perplexing irregularities in Ohio's vote tabulation methods.

Yet no uniform security standards exist for electronic voting machines. Even though they were used to tabulate a third of the votes in last year's presidential run, nearly all electronic voting machines in use today remain black boxes without external methods of verifying that the results have not been altered or sabotaged.

Possible threats to an accurate electronic vote tally are legion. They include everything from worms and viruses infecting Microsoft Windows-equipped systems to equipment tampering, code alteration and ballot box stuffing. On Friday, the National Institute of Standards and Technology, which is charged with researching voting security, is convening a conference in Gaithersburg, Md., to explore technological countermeasures.


What's new:
Nearly all electronic voting machines in use today remain black boxes without external methods of verifying that the results have not been altered or sabotaged.

Bottom line:
The National Institute of Standards and Technology, which is charged with researching voting security, is convening a conference to explore technological countermeasures.

More stories on e-voting

In principle, there should be an easy solution: Require that e-voting machines include what's known as a voter-verifiable paper trail. That would permit a voter to review a physical printout with his or her selections--perhaps under glass so the receipt can't be removed--which would also provide a way to perform a manual recount, if necessary.

But a complicated mix of partisan politics and the relative paucity of voter-verifiable products available today has delayed the switch to improved technology, according to election experts interviewed by CNET News.com.

Congress in 2002 also handed $650 million, through the Help America Vote Act (HAVA), to state officials for the purchase of electronic voting machines without imposing any voter-verifiable requirements. The money has already been spent, and federal politicians aren't eager to write a similar check again.

"They've spent the money provided by HAVA on machines without a paper trail," says Matt Zimmerman, an attorney at the Electronic Frontier Foundation in San Francisco who researches electronic voting. "And now they say they don't have money to upgrade."

Activists for the blind, too, have urged the speedy adoption of electronic voting machines. The National Federation of the Blind has filed a lawsuit (Click for PDF) against Volusia County, Fla., seeking an injunction forcing the installation of touch screen voting machines that are accessible to blind voters but lack a paper trail.

A congressional bottleneck
In Congress, at least four bills requiring paper trails were introduced in the first few weeks of 2005. All remain bottled up in committee, however, in part because key Republicans view e-voting reform as a Democratic ploy to cast doubt on the last two presidential races.

Counting votes
More and more votes are being cast
on electronic machines, thanks to
a federal law giving hundreds of
millions of dollars to states to
pay for upgrades. Punched cards'
popularity is dropping.

"This is one of those circumstances where you have a particular committee chairman, in this case Chairman Bob Ney of the House Administration Committee, who simply does not believe that there is an issue there," said Patrick Eddington, spokesman for Rep. Rush Holt, D-N.J. Holt is backing H.R.550, which requires an "individual voter-verified paper record" and is strongly supported by computer scientists.

Ney replied through a representative that states were free to set their own standards--including voter-verifiable ballots--under the 2002 HAVA law. "The congressman does not believe there should be a national federal mandate at this point in time," said Brian Walsh, a spokesman for Ney, an Ohio Republican. "In his view, the Help America Vote Act has not been implemented yet, and he's not supportive of reopening the bill until it has been fully implemented."

While Congress is tying itself in partisan knots, state legislators have been busy pressing ahead. At least 25 states have enacted verified-voting legislation, according to VerifiedVoting.org, with seven states adopting the requirement in the last three months alone. Legislation is pending in many others.

"The transparency of voting systems is critical to ensuring that the public is supportive of an election, mostly proving that the loser actually lost," said Cameron Wilson, the public-policy director of the Association for Computing Machinery, which supports verified-voting laws. "We (also) feel you should have stronger engineering and testing of both the design and operation."

Adding impetus to this state-by-state legislative trend is a report released last month by an election commission headed by former President Jimmy Carter and former Secretary of State

James Baker III. It states that a voter-verifiable paper audit trail will "increase citizens' confidence that their vote will be counted accurately," permit a recount, should one prove necessary, and allow a random selection of electronic voting machines to be tested for accuracy.

E-voting reformers divided
Complicating the move toward voter-verified receipts is a fierce internal debate between activists and computer scientists about how useful the receipts will prove in detecting election fraud.

Michael Shamos,
computer science
professor, Carnegie
Mellon University

"What I'm very much against is a requirement that all voting machines should have to have a paper trail," said Michael Shamos, a computer science professor at Carnegie Mellon University who has been the official examiner of electronic voting systems for Pennsylvania. He says the products with the necessary features aren't on the market yet.

"On a superficial, intuitive level, it sounds like a really appealing idea, and the proponents use some very persuasive arguments, usually along the nature of, 'You get a receipt when you go to the ATM, you get a receipt when you go to the grocery store, why can't we give you a receipt when you vote?'" Shamos said.

Shamos' counterarguments go something like this: Mandating paper trails will halt experimentation with better techniques, paper records have a long history of tampering by both major parties, and paper trails that record voters' choices on one long strip of paper will invade privacy because they show who voted first and last.

His last point--that long strip of paper--will be discussed at the NIST workshop Friday. A paper (Click for PDF) by John Wack of NIST notes that "this attack could be used to enforce vote selling,or simply to invade the privacy of voters and determine how particular individuals voted."

Michael Alvarez, co-director of the Caltech-MIT Voting Technology Project, says he's not opposed to the use of paper for purposes of voter verification. However, he adds, "we also have strongly argued that the legislation that moves in this direction ought to be open for the new technologies and shouldn't preclude the use of these other types of approaches."

Michael Alvarez,
Caltech/MIT Voting
Technology Project

That sort of nuanced argument tends to fall on deaf ears in state government. Ohio's law, for instance, calls for "a physical paper printout on which the voter's ballot choices, as registered by a direct recording electronic voting machine, are recorded."

Such a law, depending on how it's interpreted, could preclude innovative, cryptographically secure products such as two that are being developed by legendary inventor David Chaum and mathematician Andrew Neff that generate encrypted receipts for vote verification.

Next steps in the states
Manufacturers of electronic voting machines are racing to meet the different verified-voting deadlines and requirements set by state governments.

"What we have complies with proposed federal guidelines for 2005 and has already been approved by different states. Probably the most stringent is California, and we've already been certified by California," said Alfie Charles, a spokesperson for Sequoia Voting Systems. Sequoia's VeriVote printer was used in Nevada in the 2004 election.

All but one of Maryland's 24 counties use Diebold machines, first tested in the 2002 gubernatorial election, without voter-verifiable audit trails. After some Diebold source code leaked to the Internet, a group of computer scientists, including Maryland resident Avi Rubin, analyzed the software and concluded in a 2003 report that it falls "far below even the most minimal security standards applicable in other contexts."

Ross Goldstein, deputy administrator for the Maryland Board of Elections, says the state has commissioned a study by the University of Maryland at Baltimore County into voter verification. They're "going to get back to us with some recommendations in time to coincide with our next legislative session (starting in January) so it can be a guide for policymakers," Goldstein said.

But for now, he added, Maryland is confident in its current operation. "There's a lot of security and testing and different things that we do that obviously we feel very confident that we provide a very secure, very reliable voting system," Goldstein said.

Even if the dispute over voter-verified audit trails is eventually resolved, another lies on the horizon: access to source code used by voting machines. Should it be posted freely on the Internet, available only to researchers with credentials or kept a tightly held secret?

Shamos of Carnegie Mellon warns that advocates of more secure voting technology should tread carefully when demanding paper trails--or risk creating additional logs that could endanger voters' privacy.

It would be a shame, he said, if "people, in their frenzy to get rid of the perceived problems with voting security, in a misplaced effort to get some security, they've thrown away privacy."

CNET News.com's Anne Broache contributed to this report.