Security Experts Question Leading E-Voting System
Diebold's software scrutinized
30 July 2003—Could a voter using an electronic voting machine prematurely shut down the machine before the scheduled end of an election? Could he or she vote an unlimited number of times? Could a poll worker cause votes to be miscounted, or modify the ballot itself? Could all this happen with an e-voting machine that’s being widely deployed throughout the United States?
The manufacturer, Diebold Inc. (North Canton, Ohio) says no, but a team of four respected computer security researchers, headed by Aviel Rubin of Johns Hopkins University (Baltimore, Md.), says these and a variety of other attack scenarios are all too possible. On 23 July, Rubin and two colleagues, Tadayoshi Kohno and Adam Stubblefield, and a fourth professor, Dan Wallach of Rice University (Houston, Tex.), issued a 24-page report, "Analysis of an Electronic Voting System," [http://avirubin.com/vote.pdf]
The report, which looks at source code independently obtained from a Diebold Internet site last January, concludes that an open process of software development—rather than the closed, proprietary process Diebold followed—would have resulted in a more secure voting system. The authors of the report obtained the code from a collection of thousands of documents identified in a "simple Google search," according to Beverly Harris, a journalist who is working on a book about electronic voting (see http://www.blackboxvoting.com for information about the book).
Diebold, for its part, repudiates the relevance of the analysis to actual voting conditions, but not its bearing on the code itself. In a statement released on 25 July, the company noted that many of the insecurities found by the researchers, "only apply if the voting terminals are connected to the Internet or some other public network. This is never the case."
Diebold also points out that its system complies with the U.S. Federal Election Commission standards which all election processes must follow, and that it has also received federal certification from independent testing authorities.
Documents in the Diebold Internet site collection suggest, however, that a version of the software was used in some elections without having been passed through the certification processes, says Douglas Jones, an associate professor in the University of Iowa’s (Iowa City) computer science department and a member of Iowa’s board of examiners for voting machines and electronic voting systems.
According to Jones, it’s also clear from the Diebold source code that errors found when Iowa first studied the company’s electronic voting system five years ago have not been corrected in the intervening time.
Jones has called for the decertification of Diebold’s system, and any other in which voting totals are "computed entirely from electronically transmitted totals"—that is, without a paper trail of printed ballots. The Rubin research team came to a similar conclusion. Describing what it calls the Mercuri method [see "A Better Ballot Box?" by Rebecca Mercuri, IEEE Spectrum, October 2002, pp. 4650], Rubin’s team calls for systems where "the tally of the paper ballots takes precedence over any electronic tallies." A bill introduced in the U.S. House of Representatives in May by Rush Holt (D-NJ), the "Voter Confidence and Increased Accessibility Act of 2003" (HR 2239), would mandate just that.
To Probe Further
For background on voting systems that have come under criticism in California, see: "To Print or Not to Print: California Studies Electronic Voting Security," by Holli Riebeek.